Symantec.com > Security Response > Threats and Risks > W32.Zatyudi.A

Bookmark & Share

W32.Zatyudi.A

Risk Level 2: Low

Printer Friendly Page

Discovered: April 30, 2008

Updated: May 2, 2008 2:00:03 PM

Type: Worm

Infection Length: 57,603 bytes

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

When the worm is executed, it creates the following files:

C:\WINDOWS\system32\[8-DIGIT HEXADECIMAL NUMBER]\services.exe
C:\WINDOWS\system32\[8-DIGIT HEXADECIMAL NUMBER]\services.dat
C:\WINDOWS\winlogon.exe

It then creates the following registry entry, so that it starts when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"NTservices" = "C:\WINDOWS\system32\[8-DIGIT HEXADECIMAL NUMBER]\services.exe -update"

The worm also modifies the following registry entries, so that it starts when Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe C:\WINDOWS\winlogon.exe" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\"AlternateShell" = "winlogon.exe -safemode"
HKEY_USERS\.DEFAULT\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe C:\WINDOWS\winlogon.exe"

The worm may then harvest email addresses from files with the following extensions:

.exe
.scr
.com
.pif
.cmd
.wab
.asp
.dbx
.eml
.htm
.html
.jsp
.msg
.php
.shtm
.shtml
.txt
.xml
.js
.xml
.aspx

It will ignore email addresses that contain the following strings:

@microsoft
rating@
anti
secur
news
update
kasp
admin
icrosoft
support
ntivi
unix
bsd
nux
listserv
certific
sopho
avas
@foo
@iana
desk
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
.org
@sys
premium
titanium
viruz
virus
support
orman
aladin
groups
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
@sun
master
project
ternal
fbi
gmx
crack
hack
code
ware
trojan
clean
spy
movsd
masm
@pc
source
h4ck
compu
sales
catch
mantec
defen
viri
kill
cisco
labs
trust
sweep
winrar
winzip
submit
l0pht
phreak

The email addresses gathered may be stored in the following file:
C:\Recycled.[8-DIGIT HEXADECIMAL NUMBER]\yudizat.zat

The worm may copy itself to shared folders and removable drives using the following file names:

Bank mini Games.exe
Apache_server_831.exe
Internet Explorer Vista.exe
Nation Instinct.exe
Crack Windows vista final release.exe
Gorilaz complete album lyrics.exe
Winamp Deluxe pro.exe
Bank Mini Games complete 2007.exe
Nero final version 8.exe
PHP nuke hack 3.exe
Guitar XP studio.exe
war games.exe
Splinter Cell.exe
e-Gold auto hack v2.1.exe
New yahoo messenger vista.exe
Update windows media player 10.exe
full complete codec pack.exe
XP Update.exe
Hawai Beach screen saver.exe
Britney Screensaver (live).exe
Defacer tool.exe
Trojan removal
eBay userID.exe
full AVG update 2007 pack.exe
eBay password.exe
Yahoo! password.exe
Soccer Manager 2007.exe
DeepFreeze Pro full.exe
Deep_freeze enterprise.exe
Games Cheats DataBase.exe
Californian Food v3.exe
Complete password cracker tool.exe
GameHouse Collection.exe

Note: These files may also be dropped in random locations.

The worm may also randomly create .zip files in various folders on the compromised computer with the any of the following file names:

Entertainment.zip
don't touch this!.zip
my briefcase.zip
Photo Album Packed.zip
Deep_freeze_pro8.zip
Always in memory.rar
Billing_13_professional.zip
AVP_N_license.zip
XP anti hacker.zip

The .zip files contain a copy of the worm with the file name SETUP.exe. It may then copy these .zip files to shared folders and removable drives.

The worm may attempt to connect to the following IP addresses to check network connectivity (using ping.exe) and then send a notification of infection:

69.73.169.9
216.177.77.9

It may then attempt to download one of the following images:

[http://]www.imageshack.us/images_[REMOVED]
[http://]www.ghostspell.com/freak[REMOVED]
[http://]www.wilkipedia.com/logo[REMOVED]
[http://]www.geocities.com/paleztinezgr/hack[REMOVED]
[http://]www.globalframe.com/global_[REMOVED]
[http://]www.vbstuff.com/yudizat/sour[REMOVED]
[http://]www.geocities.com/huseindam1/hack[REMOVED]
[http://]www.geocities.com/rinkdal3/hack[REMOVED]
[http://]www.zone-h.com/defacer/view[REMOVED]
[http://]yz_black.cjb.net/yz_black/blac[REMOVED]
[http://]yz_red.cjb.net/yz_red/red[REMOVED]
[http://]yz_green.cjb.net/yz_green/gree[REMOVED]
[http://]yz_yellow.cjb.net/yz_yellow/yello[REMOVED]
[http://]yz_white.cjb.net/yz_white/whit[REMOVED]
[http://]yz_gray.cjb.net/yz_gray/gray[REMOVED]
[http://]yz_violet.cjb.net/yz_violet/viole[REMOVED]
[http://]yz_silver.cjb.net/yz_silver/silve[REMOVED]
[http://]yz_hot.cjb.net/yz_hot/hot[REMOVED]
[http://]yz_cool.cjb.net/yz_cool/cool[REMOVED]
[http://]yz_freeze.cjb.net/yz_freeze/freez[REMOVED]
[http://]yz_slow.cjb.net/yz_slow/slow[REMOVED]
[http://]yz_fast.cjb.net/yz_fast/fast[REMOVED]
[http://]yz_strong.cjb.net/yz_strong/stron[REMOVED]
[http://]yz_happy.cjb.net/yz_happy/happ[REMOVED]
[http://]yz_sad.cjb.net/yz_sad/sad[REMOVED]
[http://]yz_cry.cjb.net/yz_cry/cry[REMOVED]

The worm then attempts to end all processes and services whose name, associated window, or description contain the following strings:

SysMech
PDFIND
avtask
mav
process
ccapp
avgemc
snaps
rstrui
syslove
sstray
thread
mcvsescn
poproxy
xpshare
systray
ashmaisv
aswupdsv
nvc
cclaw
njeeves
nipsvc
update
vptray
opscan
nopdb
ccapp
ctfmon
zlh
avgupsvc
removal
virus
AGENTSVR
ANTI
MONITOR
APLICA32
APVXDWIN
ATCON
GUARD
ATRO55EN
WATCH
AUTODOWN
AUTOTRACE
AUTOUPDATE
AVCONSOL
AVGSERV9
AVLTMAIN
AVPUPD
AVSYNMGR
AVWUPD32
AVXQUAR
AVprotect9x
BD_PROFESSIONAL
BIDEF
BIDSERVER
BIPCP
BIPCPEVALSETUP
BISP
BLACKD
BLACKICE
BOOTWARN
BORG2
BS120
CDP
CFGWIZ
CFIADMIN
CFIAUDIT
CFINET
CFINET32
CLEAN
CLEAN32
CLEANER
CLEANER3
CLEANPC
CMGRDIAN
CMON016
CPD
CPF9X206
CWNB181
CWNTDWMO
config
killbox
hijackthis
DEFWATCH
DEPUTY
DPF
DPFSETUP
DRWATSON
DRWEBUPW
ENT
ESCANH95
ESCANHNT
ESCANV95
EXANTIVIRUS-CNET
FAST
FIREWALL
FLOWPROTECTOR
FP-WIN_TRIAL
FRW
FSAV
FSAV530STBYB
GBMENU
GBPOLL
GUARD
GUARDDOG
HACKTRACERSETUP
HTLOG
HWPE
IAMAPP
IAMSERV
ICLOAD95
ICLOADNT
ICMON
ICMON32
sysmech6
sysmech5
ICSSUPPNT
ICSUPP95
ICSUPPNT
IFW2000
IPARMOR
IRIS
JAMMER
KAVLITE40ENG
KAVPERS40ENG
KERIO-PF-213-EN-WIN
KERIO-WRL-421-EN-WIN
KERIO-WRP-421-EN-WIN
KILLPROCESSSETUP161
LDPRO
LOCALNET
LOCKDOWN
LOCKDOWN2000
LSETUP
LUALL
LUCOMSERVER
LUINIT
MCAGENT
MCUPDATE
MFW2EN
MFWENG3.02D30
MGUI
MINILOG
MOOLIVE
MRFLUX
CONFIG32
MSINFO32
MSSMMC32
MU0311AD
NAV80TRY
NAVAPW32
NAVDX
NAVSTUB
NAVW32
NC2000
NCINST4
admin
NDD32
NEOMONITOR
NETARMOR
NETINFO
NETMON
NETSCANPRO
HUNTER
NISSERV
NMAIN
NORTON
NPF
NPROTECT
NSCHED32
NTVDM
NUPGRADE
NVARCH16
NWINST4
NWTOOL16
NavShExt.dll
OSTRONET
OUTPOST
OUTPOST
PADMIN
PANIXK
PAVPROXY
PCC2002S902
PCC2K_76_1436
PCCIOMON
PCDSETUP
PCFWALLICON
PCIP10117_0
PDSETUP
PERISCOPE
PERSFW
PF2
PFWADMIN
PINGSCAN
PLATIN
PROTECTX
PSPF
QCONSOLE
QSERVER
RESCUE
watch
watcher
RRGUARD
RSHELL
RULAUNCH
SAFEWEB
SAVSCAN
SBSERV
SETUPVAMEEVAL
SETUP_FLOWPROTECTOR_US
SFC
SGSSFW32
SHELLSPYINSTALL
SYSEDIT
SymWSC
TAUMON
TAUSCAN
TRACERT
TRJSCAN
TRJSETUP
TROJANTRAP
UNDOBOOT
VBCMSERV
VBCONS
VBUST
VIRUSMDPERSONALFIREWALL
W32DSM
WEBSCANX
WHOSWATCHINGME
WINRECON
WNT
WRADMIN
WRCTRL
WSBGATE
WYVERNWORKSFIREWALL
XPF202EN
ZONEALARM
ccApp
ccEvtMgr
navapsvc
norman
workstation
autoupdate
avast
internals
ContactKeeper129
antivir
avg
aawsepersonal
avgwb.dat
ultraedit
hiew
memhack
systemhack
finder
engine
cracker
cheat
anti
hacker
killer
machine
fix
fixer
ner
er44
er40
er10
er5
spy
Dump
fusion
virus
system
f10
er10
jack
rip
guard
diskmon
regmon
monitor
debug
MEMGUTT
nmap
rminstall
ator
secure
security
center
control
panda
sophos
prot
protex
protect
regmonnt
ware
view
viewer
washer
admin
administrator
secret
show
stealth
hide
awake
visible
dump
api
crc
procexp
hex
workshop
ver
licode
codeli
hacking
mfwenu3.02r
vsc601ai
vs0602AU
upswplug
rescue
RShelln
shield
stealth
scrubber
LUSETUP
scan
NavDX
NU2002
Pavjobs
PAVSRV50
Pavw
Repairnt
zapSetup3026
anty
Pavsched
Pavclshe
pavcl.msg
pavcl
Inicio
Iface
Avengine
Apvxdwin
upgrader
TRJSETUP
wgsetup
WINPROXY
maker
crack
hack
procviewer
lyze
yzer
yzing
pest
patrol
viruz
virii
viren
stop
attack
defend
stoper
stoped
exploit
monitoring
scan
sav
rav
lav
known
pav
kav
yav
tav
nav
hidden
hidding
die
admin
netcat
nmap
softice
softice32
tools
xav
abuse
abuser
tactic
weapon
rock
strike
special
ddos
flicker
sniff
access
proc
proce
memory
frog
trap
catch
frogging
grabber
graber
grabbing
kick
kicker
stole
aware
freeze
freezing
struct
death
Avast
ashBug
ashDisp
ashChest
ashLogV
ashMaiSv
ashPopWz
ashQuick
ashSimpl
ashSkPcc
ashSkPck
aswBoot
aswUpdSv
sched
ccsetmgr
pavprsrv
navsetup
lrsetup
lucoms~1
nprotect
cfgwiz
symlcsvc
luall
navapsvc
navw32
wisptis
inocit
stopper
realmon
monxp
avconsol
alogserv
webscanx
mcshield
vshwin32
vsstat
avsynmgr
netstat
ipconfig
nmap
wmiprvse
toolz
hacker
cracker
snipper
avengine
pavprsrv
pavsrv51
apvxdwin
LordPE

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: John Canavan

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}