Symantec.com > Security Response > Threats and Risks > W32.Vutsog.A@mm

Bookmark & Share

W32.Vutsog.A@mm

Risk Level 2: Low

Printer Friendly Page

Discovered: February 2, 2007

Updated: March 5, 2007 3:02:36 PM

Also Known As: W32/Piggi-C [Sophos]

Type: Worm

Infection Length: 73,217 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

CVE References: CVE-2003-0533

When the worm executes, it disables system file protection for and then copies itself as the following file:
C:\Program Files\Internet Explorer\iexplore.exe

It then copies C:\Program Files\Internet Explorer\iexplore.exe to the following folder:
C:\WINDOWS\system32\dllcache

The worm then creates the following files:

%System%\dllcache\svchost.exe:svchost.exe
%System%\svchost.exe:svchost.exe
%Windir%\lsass.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
C:\Program Files\McAfee.com\Agent\mcupdate.exe

Next, the worm creates the following registry entries so that it executes whenever Windows starts:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SvcHost" = "C:\WINDOWS\system32\svchost.exe:svchost.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[WORM FILE NAME]" = "[WORM FILE NAME]:*:enabled:@xpsp2res.dll,-22019"

The worm registers itself as a service with the following characteristics:
Service Name: SvcHost
Display Name: SvcHost
Description: Generic Host Process for Win32 Services. If this service is disabled, any services that explicitly depend on it will fail to start.
Image Path: C:\WINDOWS\system32\svchost.exe:svchost.exe

It attempts to run itself as the following services:

Automatic LiveUpdate Scheduler
LiveUpdate

The worm attempts to modify the binary files of the srservice wuauserv service with the following file so that it starts when the srservice wuaserv service is run:
C:\WINDOWS\system32\svchost.exe:svchost.exe

The worm drops the following components:

c:\zyxwvuts.log
%System%\msfsr.sys, which is 4,096 bytes in length
%System%\drivers\[SIX RANDOM LOWER CASE LETTERS].sys, which is 6,144 bytes in length

It attempts to run %System%\msfsr.sys as a service with the following characteristics:
Service Name: msfsr
Display Name: msfsr

The worm then ends processes that contain the following strings by using the "NET STOP" command:

Browser
lanmanserver
McShield
navapsvc
sharedaccess
SymAppCore
wscsvc

The worm attempts to modify the file system.ini so that it runs when Windows starts.

It connects to the following IRC server and waits for commands from a remote attacker:
www.mi5.gov.uk

The worm then exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108) using TCP port 139.

The worm gathers the current user's SMTP information from the registry. It also gathers email addresses from the Windows Address book and email addresses from files whose extension is one of the following in the above mentioned folders on drives C to Y, if the drive is a fixed drive or RAM drive:

.adb
.adr
.asp
.bag
.bcm
.bcn
.bgt
.bib
.blt
.brk
.btr
.btx
.cat
.cdm
.cgi
.clb
.css
.csv
.dht
.dld
.doc
.dvc
.edb
.eml
.gam
.gdb
.gup
.ht
.iaf
.imb
.imc
.jav
.ldb
.log
.map
.mht
.mlm
.mmf
.na2
.nsf
.nws
.oft
.pab
.pdf
.php
.ply
.pmx
.pop
.pst
.rtf
.sht
.smd
.snm
.sql
.tbb
.tex
.txt
.uin
.vbc
.vbs
.vcf
.wab
.wsh
.xml
.xsl

The email has the following characteristics:

From: [SPOOFED].
One of the following:

updates@McAfee.com
updates@Microsoft.com
updates@Symantec.com
[CURRENT USER'S EMAIL ADDRESS]
[RANDOM NAME]@aol.com
[RANDOM NAME]@msn.com
[RANDOM NAME]@yahoo.com
[RANDOM NAME]@hotmail.com
[RANDOM NAME]@proseware.com
[RANDOM NAME]@fabrikam.com
[RANDOM NAME]@contoso.com
[RANDOM NAME]@litwareinc.com

Subject:
One of the following, or constructed from a combination of the following strings:

Mail authentication
Protected mail
Message error
Bad Request
Delivery server
Mail server
Notify
Extended mail
Server report
Returned mail: Data format error
Returned mail: see transcript for details
Delivery reports about your e-mail
Mail system error - returned mail
Message could not be delivered
Delivery failure
Report
Status
Error
You on the net.
Your hidden site.
Your hidden website.
You site.
Your site.
Your website.
Poker.
Poker technique.
Poker strategy.
Online poker.
Gaming.
Online gaming.
Online casino.
Casino.
Myspace
Myspace details
Your myspace details
Look at this!
Screensaver attached.
Movie attached.
Video attached.
Free game downloader attached.
Play this.
Free game attached.
Game attached.
Listen to this!
Listen to the attachment.
Your speech attached.
Your voice attached.
Your mix attached.
Your tune attached.
Your YouTube movie attached.
Your YouTube video attached.
Your movie attached.
Your video attached.
Free - just open the attachment!
Free gift.
Free offer.
Free - See the attachment!
Free!
You attached!
Your photo attached.
Your picture attached.
Look at the attachment.
Open this attachment.
See the attachment.
An important message.
Mail Delivery Subsystem
MAILER-DAEMON
Returned mail
Post Office
Mail Administrator
Postmaster

Message Body: Randomly constructed from the strings carried by the worm. The message is designed to entice the reader into opening the attachment.

Attachment:
One of the following:

Alien vs. Predator 2
Angelina Jolie
Assassin
Auto Assault
BioShock
Britney Spears
CSI: London
Carmen Electra
Command & Conquer 3: Tiberium Wars
Crysis
Dragonball
Dungeons & Dragons Online: Stormreach
Enemy Territory: Quake Wars
Extreme Ghouls n' Ghosts
Final Fantasy XIII
Full Auto
Full Auto 2: Battlelines
Ghost Recon: Advanced Warfighter
Ghost Rider
Grey's Anatomy - next season
Half-Life 2: Aftermath
Halo 3
Hellgate: London
Heroes season 2
Hilary Duff
Huxley
Indiana Jones 4
Jennifer Lopez
Jericho season 2
Jessica Alba
Jessica Simpson
Killzone PS3
Live Free or Die Hard
Lost season 4
Metal Gear: Subsistence
Neverwinter Nights 2
Pamela Anderson
Paris Hilton
Premonition
Prey
Pursuit Force
Rainbow Six: Vegas
Resident Evil 3
Resident Evil 5
Resistance: Fall of Man
Rush Hour 3
Shark season 2
Six Degrees season 2
Smith season 2
Spider-Man 3
Splinter Cell: Double Agent
Spore
Star Trek: Legacy
Star Wars: Empire at War
Starcraft: Ghost
Studio 60 on the Sunset Strip season 2
Tekken
Terminator 4
The Hills Have Eyes II
Unreal Tournament 2007
Virtua Fighter 5
Warhammer Online Age Of Reckoning
attachment
casino
details
document
gaming
hiddensite
instructions
letter
mail
message
msg
myspace
myspacedetails
onlinecasino
onlinegaming
onlinepoker
poker
pokerstrategy
pokertechnique
readme
Assassins Creed
text
transcript
your SSN etc
your bank account details
your financial details
your financial information
your personal details
your personal information
your tax returns
yourhiddensite
yourmyspacedetails
yoursite
yourwebsite
yousite

Followed by one of the following extensions:

.bat
.cmd
.com
.exe
.pif
.scr

The attachment can also be a combination of some of the following strings:

[BLANK]
flickr-you
free mix
tune you
.gif
.html
.jpeg
.mp3
.rtf
.txt
.wma

Note: The attachment may have double extensions.

The worm attempts to copy itself to any folder whose name contains one of the following on drives C to Y, if the drive is a fixed drive or RAM drive:

BearShare
Collections
Downloads
my shared folder
share
shared
upload
uploads

The file name may be any of the following:

Age of Conan-Hyborian Adventures
AssassinÆs Creed
BioShock
Command & Conquer 3-Tiberium Wars
Company of Heroes
Crysis
Desperados 2-Cooper's Revenge
Dragon Age
Dreamfall-The Longest Journey
Dungeons & Dragons Online-Stormreach
Elder Scrolls IV-Oblivion
Enemy Territory-Quake Wars
Final Fantasy XIII
Final Fantasy XIV
Full Auto 2-Battlelines
Gears of War
Ghost Recon-Advanced Warfighter
Gran Turismo HD
Grand Theft Auto IV
Guild Wars-Factions
Half-Life 2-Aftermath
Hellgate-London
Heroes of Might & Magic V
Killzone PS3
Kingdom Hearts 2
Metal Gear-Subsistence
Metroid Prime Hunters
Neverwinter Nights 2
Okami
Prey
Rainbow Six-Vegas
Red Steel
Resident Evil 5
Resistance-Fall of Man
Rise of Nations-Rise of Legends
S.T.A.L.K.E.R.-Shadow of Chernobyl
Splinter Cell Essentials
Splinter Cell-Double Agent
Spore
Star Trek-Legacy
Star Wars-Empire at War
Starcraft-Ghost
Supreme Commander
The Lord of the Rings-The Battle for Middle-earth II
Too Human
Unreal Tournament 2007
Vanguard Saga of Heros
Virtua Fighter 5
Vista
Vista Ultimate
Warhammer Online Age Of Reckoning
World of Warcraft-The Burning Crusade

Followed by one of the following strings,

- Full.exe
- Keygen.exe
.iso.exe
.zip.exe

The file name may also be any of the following:

10,000 B.C.
1408
28 Weeks Later
30 Days of Night
30 Rock season 2
300
Across the Universe
Alien vs. Predator 2
Alpha Dog
American Gangster
Angel-A
Angelina Jolie
Angelina Jolie(unseen)
Are We Done Yet?
Atonement
August Rush
Balls of Fury
Because I Said So
Beowulf
Black Book
Blades of Glory
Breach
Britney Spears
Britney Spears(unseen)
Brother & Sisters season 2
CSI-London"
Captivity
Carmen Electra
Carmen Electra(unseen)
Criminal Minds - next season
Dallas
Dancing with the Stars - next season
Death at a Funeral
Delta Farce
Desperate Housewives - next season
Disturbia
Dragonball
Eastern Promises
El Cantante
Enchanted
Epic Movie
Evening
Fantastic Four 2
Firehouse Dog
Fly Me to the Moon
Foodfight!
Fracture
Fragile
Freedom Writers
Full of It
GhostRider
Gilmore Girls season 8
God Grew Tired of Us
Grey's Anatomy - next season
Grind House
Hairspray
Halloween
Halo
Hannibal Rising
Heroes season 2
Hilary Duff
Hilary Duff(unseen)
His Dark Materials-The Golden Compass
Horton Hears a Who
Hostel 2
Hot Fuzz
Hot Rod
In the Land of Women
Inkheart
Iron Man
Jennifer Lopez
Jennifer Lopez(unseen)
Jericho season 2
Jessica Alba
Jessica Alba(unseen)
Jessica Simpson
Jessica Simpson(unseen)
Journey 3-D
Jumper
Kidnapped season 2
Kung Fu Panda
La Vie en Rose
Live Free or Die Hard
Lost season 4
Lucky You
Lust, Caution
Master of Time and Space
Next
No Reservations
Ocean's Thirteen
Offside
Opus-The Last Christmas
Pamela Anderson
Pamela Anderson(unseen)
Paris Hilton
Paris Hilton(unseen)
Pathfinder
Perfect Stranger
Premonition
Pride
Pride & Glory
Prison Break season 3
Prom Night (2007)
Reservation Road
Resident Evil 3
Rocket Science
Rogue
Romeo & Juliet-Sealed with a Kiss
Rush Hour 3
Scrubs - next season
Seven Day Itch
Severance
Shark season 2
Shoot 'Em Up
Shooter
Silk
Six Degrees season 2
Skinwalkers
Slow Burn
Smith season 2
Smokin' Aces
South Park season 11
Southland Tales
Spider-Man 3
Spring Breakdown
Standoff season 2
Stardust
Stomp the Yard
Strange Wilderness
Strangers
Studio 60 on the Sunset Strip season 2
Sunshine
Super Bad
Surf's Up
Talk to Me
Terminator 4
The Assassination of Jesse James
The Dark Is Rising
The Flock
The Half Life of Timofey Berezin
The Hills Have Eyes II
The Hitcher
The Hoax
The Host
The Ice at the Bottom of the World
The Invasion
The Invisible
The Kingdom
The Last Legion
The Last Sin Eater
The Lives of Others
The Messengers
The Namesake
The Nine season 2
The Number 23
The OC season 5
The Office season 4
The Reaping
The Simpsons
The Spiderwick Chronicles
The TV Set
The Transformers
The Ultimate Gift
The Valet
The Waterhorse
The Astronaut Farmer
This Christmas Til Death season 2
Trade
Trick 'r Treat
Ugly Betty season 2
Underdog
Untraceable
Vacancy
Vantage Point
Veronica Mars - next season
Whisper
Wild Hogs
Without a Trace - next season
Wonder Woman
Zodiac

With one of the following extensions:

.scr
.avi.com
.mp4.com

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Yana Liu

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}