1. /
  2. Security Response/
  3. W32.Ackantta@mm

W32.Ackantta@mm

Risk Level 2: Low

Discovered:
December 3, 2008
Updated:
December 3, 2008 2:45:35 PM
Also Known As:
W32/Xirtem@MM [McAfee], WORM_MYDOOM.CG [Trend], Backdoor:W32/SdBot.CNJ [F-Secure], Win32/Mytob.OO [Computer Associates], P2PShared.U [Panda Software]
Type:
Trojan, Worm
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
1.3 Address blocking
2. Infection method
2.1 Email
2.2 Network shares and removable drives
2.3 Peer to Peer (P2P)
2.4 File repackaging
2.5 Infecting Web server files
3. Functionality
3.1 System modifications
3.2 Network activity
3.3 Turning off security
3.4 Additional functionality
4. Additional information




1. PREVENTION AND AVOIDANCE
Ackantta spreads by exploiting weaknesses in human nature - social engineering. It does it by using enticing email lures and file names when copying itself to removable and shared drives. Due to the nature of the propagation techniques used, user awareness can play a large part in prevention of infections. The following strategies can help users avoid or minimize the risk from this threat.


1.1 Avoid emails with .zip attachments

Users should be wary of any unsolicited emails whether from known or unknown sources. Be particularly wary if the email includes a product promotion, describes an unexpected parcel shipments or promises of rewards (whether explicit or implied) that involves opening attachments. Ackantta normally uses attachments with a .zip extension. Typically the zip file contains an executable file inside.



The worm only executes after the file inside the attachment is extracted and then run by the user. Therefore it is relatively easy for users to avoid this worm (and indeed for other malware) by simply not opening such file types.

To reduce the risk of infection, email gateways can be configured to block email with certain types of attachments such as .exe and .zip files.


1.2 Avoid illicit software
Ackantta attempts to exploit a demand on the Internet for certain popular software applications. It taps into this demand by making files available in P2P shared folders using file names that makes the worm files look like they are installers for popular software. Leaving aside the legal implications of downloading commercial software through P2P networks, there is always a risk that what is downloaded may contain more than what is expected - Ackantta is another case in point.

When downloading files such as application installers, one simple tell tale sign is to check the size of the downloaded file against the expected size for the application installer. Malware files generally tend to be small (less than 1MB) in size whereas typical application installers are usually tens or hundreds of megabytes in size. Some malware may try to counter this basic sanity check by padding out the file contents with junk data to make the file size appear larger. If in doubt do not execute the file.

Users are advised to avoid downloading software from P2P networks and instead source their software from reputable establishments.


1.3 Protect network shares and removable drives
This threat is also known to spread inside network by using shares. The following steps can help protect your computer against this threat.
  • Users are advised to ensure that all network shares are only opened when they are necessary for use.
  • Use a strong password to guard any shared folders or accounts. A strong password is a password that is of sufficient length of 8 or more characters. The password should also use a combination of numeric, capital, lowercase characters and symbols. Commonly used words from everyday language should not be used as they may easily be defeated by a dictionary attack. This blog provides some ideas on how to construct a strong yet memorable password.
  • Disable the autorun feature to prevent dropped files from running automatically when a drive is opened.



2. INFECTION METHOD
Ackantta has proven itself to be highly adaptable and currently employs an array of methods to propagate itself. The worm has been enhanced many times since it first appeared in 2008 and each iteration included changes to functionality or propagation methods. The current methods by which Ackantta spreads are as follows:
  • Email
  • Network shares and removable drives
  • Peer-to-peer (P2P)
  • File repackaging
  • Infecting Web server files

A more detailed description of how the threat employs these techniques is provided in the following sections.


2.1 Email
Ackantta does not employ any advanced techniques or technical tricks when propagating through email. Instead it relies purely on one of the oldest techniques available in the malware maker's arsenal - social engineering and brandjacking. Emails are delivered with content that leads users into believing that they should open the email attachment to gain some benefits through a product promotion or to find out the status of a package being delivered. These social engineering tricks are designed to play on the curiosity in human nature and is a perennial favorite with malware creators. The misuse of well known brands is designed to leverage the trust in a brand to help convince the recipient to open the email attachments.

From history we have seen Ackantta use a small number brands in email lures repeatedly for different spam runs, these are:

  • Hallmark Cards
  • Coca Cola
  • Amazon.Com
  • Hi5
  • McDonalds
  • Twitter
  • Michael Jackson
  • American Greetings
  • Facebook
  • Google

Sample emails

Some examples of the emails used can be seen below:


From: giveaway@mcdonalds.com
Subject: Mcdonalds wishes you Merry Christmas!
Message body:
McDonald's is proud to present our latest discount menu.
Simply print the coupon from this Email and head to your local McDonald's for FREE giveaways and AWESOME savings.
You don't have a flash plugin installed or javascript enabled.
Corporate McDonald's | Facts about McDonald's | Podcasts | Voice 2007-2008 McDonald's. All rights reserved.
Attachment: coupon.zip

From: noreply@coca-cola.com
Subject: Coca Cola is proud to accounce our new Christmas Promotion.
Message body:
Coca Cola is proud to accounce our new Christmas Promotion.
December, 2008
Play our fantastic new online game for your chance to WIN a trip to the Bahamas and get all Coca Cola drinks for free in the rest of your life. See the attachment for details.
The trademarks listed are owned or used under license by The Coca-Cola Company and its related affiliates, as of December 31, 2006.
These trademarks may be owned or licensed in select locations only. 2008 The Coca-Cola Company, all rights reserved.
Attachment: promotion.zip

From: postcards@hallmark.com
Subject: You've received A Hallmark E-Card!
Message body:
You have recieved A Hallmark E-Card.
Hello!
You have recieved a Hallmark E-Card from your friend.
To see it, check the attachment.
There's something special about that E-Card feeling. We invite you to make a friend's day and send one.
Hope to see you soon,
Your friends at Hallmark
Your privacy is our priority. Click the "Privacy and Security" link at the bottom of this E-mail to view our policy.
Hallmark.com | Privacy & Security | Customer Service | Store Locator
Attachment: postcard.zip



From: invitations@hi5.com
Subject:
One of the following:
  • Jessica would like to be your friend on hi5!
  • Laura would like to be your friend on hi5!
Message body: (HTML)
Join
Log in
Help
Balance: 0 Coins

mobile alerts
Click to Select Language

hi5 Home

Home
My Profile
Friends
Photos
Messages
Games
Groups
Applications
No application s installed
Add Applications·
165 Search true true true false

advanced

Title
body
[BUTTON]Yes [BUTTON]No

Meet new people and keep up with friends on hi5.

Jessica would like to be your friend on hi5!

I set up a hi5 profile and I want to add you as a friend so we can share pictures and start building our network. First see your invitation card I attached! Once you join, you will have a chance to create a profile, share pictures, and find friends.

About Us Blog Advertising Jobs People Privacy Policy | Terms of Service | Online Safety 2003-2009 hi5 Networks
2003-2009 hi5 Networks
Attachment: Invitation Card.zip



From: order-update@amazon.com
Subject: Shipping update for your Amazon.com order 254-78546325-658742
Message body:
Shipping update for your Amazon.com order 254-78546325-658742
Please check the attachment and confirm your shipping details.
Attachment: Shipping documents.zip


Email address harvesting
In order to help it spread through email, Ackantta has to collect email addresses so that it can send itself to another batch of unsuspecting users. Ackantta will search the drives attached to the compromised computer for files with the following extensions in order to extract email addresses:
  • .adb
  • .asp
  • .dbx
  • .doc
  • .htm
  • .log
  • .lst
  • .nfo
  • .php
  • .pl
  • .rtf
  • .sht
  • .tbb
  • .txt
  • .wab
  • .wpd
  • .wps
  • .xls
  • .xml


Keeping below the radar
In an attempt to delay discovery by security researchers, the worm avoids sending its propagation emails to certain domains and email addresses that contain particular strings or keywords. Many of these are for security software vendors, Internet service providers, administrator, abuse email addresses and so forth.

User name exclusion list:
  • abuse
  • anyone
  • bugs
  • ca
  • contact
  • gold-certs
  • help
  • info
  • me
  • no
  • nobody
  • noone
  • not
  • nothing
  • page
  • postmaster
  • privacy
  • rating
  • root
  • sales
  • samples
  • secur
  • service
  • site
  • soft
  • somebody
  • someone
  • spm
  • spam
  • submit
  • the.bat
  • webmaster
  • you
  • your
  • www
  • admin
  • bsd
  • certific
  • icrosoft
  • linux
  • listserv
  • ntivi
  • security
  • spam
  • support
  • unix
  • websense

Domain exclusion list:
  • .gov
  • .mil
  • acd-group
  • acdnet.com
  • acdsystems.com
  • acketst
  • ahnlab
  • alcatel-lucent.com
  • apache
  • arin.
  • avg.comsysinternals
  • avira
  • badware
  • berkeley
  • bitdefender
  • bluewin.ch
  • borlan
  • bpsoft.com
  • bsd
  • buyrar.com
  • cisco
  • clamav
  • debian
  • drweb
  • eset.com
  • example
  • f-secure
  • fido
  • firefox
  • fsf.
  • ghisler.com
  • gimp
  • gnu
  • gov.
  • honeynet
  • honeypot
  • iana
  • ibm.com
  • idefense
  • ietf
  • ikarus
  • immunityinc.com
  • inpris
  • isc.o
  • isi.e
  • jgsoft
  • kaspersky
  • kernel
  • lavasoft
  • linux
  • mcafee
  • messagelabs
  • mit.e
  • mozilla
  • mydomai
  • nodomai
  • novirusthanks
  • nullsoft.org
  • panda
  • pgp
  • prevx
  • qualys
  • quebecor.com
  • redhat
  • rfc-ed
  • ruslis
  • samba
  • secur
  • security
  • sendmail
  • slashdot
  • sopho
  • sourceforge
  • ssh.com
  • sun.com
  • suse
  • syman
  • tanford.e
  • unix
  • usenet
  • utgers.ed
  • virus
  • virusbuster
  • winamp
  • winpcap
  • wireshark
  • www.ca.com


2.2 Network shares and removable drives
Another means by which Ackantta attempts to spread is by making use of the autorun feature of Windows. Network shares and removable drives such as USB sticks are commonly used amongst the population for sharing files and data, so much so that it can be considered as the modern day equivalent of the floppy disk.

Ackantta attempts to enumerate all the attached and mounted drives and then tries to copy itself into a folder inside the recycler. This is done to hide itself from unsuspecting users, many of whom may not normally look inside the recycler folder. In addition, the files created are given the settings of system, hidden and read-only.

The files normally created by the worm when spreading through this method are as follows:
  • %DriveLetter%\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
  • %DriveLetter%\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\Desktop.ini
  • %DriveLetter%\autorun.inf




The autorun.inf file is designed to cause Windows to load the worm file from inside the recycler folder whenever the drive is first accessed or plugged into a computer. Disabling the autorun feature in Windows can help to prevent this and other malware from automatically executing.


2.3 Peer-to-peer (P2P)
To further help it to spread, Ackantta makes copies of itself inside the file share folders of many P2P applications. By doing so it taps into the high volume of file exchanges that is generated daily throughout the world from P2P usage. To increase the likelihood of the file being downloaded to another computer and executed, the file names used by Ackantta when copying itself into the P2P folders are deliberately chosen to suggest that the files are installers, key generators or cracks for much sought after and often costly commercial software.

Ackantta targets various P2P applications by copying itself to predefined folders some of which are associated with P2P applications:
  • C:\Downloads\
  • C:\program files\emule\incoming\
  • C:\program files\grokster\my grokster\
  • C:\program files\icq\shared folder\
  • C:\program files\limewire\shared\
  • C:\program files\morpheus\my shared folder\
  • C:\program files\tesla\files\
  • C:\program files\winmx\shared\

It may also target folders associated with Kazaa, DCPlusPlus and Frostwire.

The following file names may be used when being copied to the P2P folders:
  • Absolute Video Converter 6.2.exe
  • Ad-aware 2009.exe
  • Adobe Acrobat Reader keygen.exe
  • Adobe Photoshop CS4 crack.exe
  • Alcohol 120 v1.9.7.exe
  • AnyDVD HD v.6.3.1.8 Beta incl crack.exe
  • Avast 4.8 Professional.exe
  • AVS video converter6.exe
  • Adobe Illustrator CS4 crack.exe
  • Anti-Porn v13.5.12.29.exe
  • Ashampoo Snap 3.02.exe
  • BitDefender AntiVirus 2009 Keygen.exe
  • Blaze DVD Player Pro v6.52.exe
  • CleanMyPC Registry Cleaner v6.02.exe
  • CheckPoint ZoneAlarm And AntiSpy.exe
  • Daemon Tools Pro 4.11.exe
  • Divx Pro 6.8.0.19 + keymaker.exe
  • Download Accelerator Plus v8.7.5.exe
  • Download Boost 2.0.exe
  • DVD Tools Nero 10.5.6.0.exe
  • G-Force Platinum v3.7.5.exe
  • Google Earth Pro 4.2. with Maps and crack.exe
  • Grand Theft Auto IV (Offline Activation).exe
  • Half life 3 preview 10 minutes gameplay video.exe
  • Internet Download Manager V5.exe
  • Image Size Reducer Pro v1.0.1.exe
  • K-Lite codec pack 4.0 gold.exe
  • Kaspersky Internet Security 2009 keygen.exe
  • K-Lite codec pack 3.10 full.exe
  • K-Lite Mega Codec v5.5.1.exe
  • K-Lite Mega Codec v5.6.1 Portable.exe
  • Kaspersky AntiVirus 2010 crack.exe
  • Kaspersky Internet Security 2010 keygen.exe
  • LimeWire Pro v4.18.3.exe
  • Microsoft Office 2007 Home and Student keygen.exe
  • Microsoft Visual Studio 2008 KeyGen.exe
  • Microsoft.Windows 7 Beta1 Build 7000 x86.exe
  • Motorola, nokia, ericsson mobil phone tools.exe
  • Myspace theme collection.exe
  • Magic Video Converter 8 0 2 18.exe
  • McAfee Total Protection 2010.exe
  • Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
  • Mp3 Splitter and Joiner Pro v3.48.exe
  • Nero 9 9.2.6.0 keygen.exe
  • Norton Anti-Virus 2009 Enterprise Crack.exe
  • Norton Internet Security 2010 crack.exe
  • Opera 10 cracked.exe
  • Opera 9.62 International.exe
  • PDF password remover (works with all acrobat reader).exe
  • Password Cracker.exe
  • Perfect keylogger family edition with crack.exe
  • Power ISO v4.2 + keygen axxo.exe
  • PDF-XChange Pro.exe
  • PDF to Word Converter 3.0.exe
  • PDF Unlocker v2.0.3.exe
  • Red Alert 3 keygen and trainer.exe
  • Rapidshare Auto Downloader 3.8.exe
  • RapidShare Killer AIO 2010.exe
  • Smart Draw 2008 keygen.exe
  • Sophos antivirus updater bypass.exe
  • Super Utilities Pro 2009 11.0.exe
  • Sophos antivirus updater bypass.exe
  • Starcraft2 Crack.exe
  • Starcraft2 keys.txt.exe
  • Starcraft2 Oblivion DLL.exe
  • Starcraft2 Patch v0.2.exe
  • Starcraft2.exe
  • Smart Draw 2008 keygen.exe
  • Sony Vegas Pro 8 0b Build 219.exe
  • TCN ISO SigmaX2 firmware.bin.exe
  • TCN ISO cable modem hacking tools.exe
  • Total Commander7 license+keygen.exe
  • Tuneup Ultilities 2008.exe
  • Trojan Killer v2.9.4173.exe
  • Tuneup Ultilities 2010.exe
  • Twitter FriendAdder 2.1.1.exe
  • Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
  • Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
  • Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
  • Ultimate xxx password generator 2009.exe
  • VmWare keygen.exe
  • VmWare 7.0 keygen.exe
  • WinRAR v3.x keygen RaZoR.exe
  • Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe
  • Windows 2008 Enterprise Server VMWare Virtual Machine.exe
  • Windows XP PRO Corp SP3 valid-key generator.exe
  • Windows2008 keygen and activator.exe
  • Winamp.Pro.v7.33.PowerPack.Portable+installer.exe
  • Windows 7 Ultimate keygen.exe
  • Youtube Music Downloader 1.0.exe
  • YouTubeGet 5.4.exe


2.4 File repackaging
An interesting technique employed by later versions of Ackantta (W32.Ackantta.H@mm) involved the repackaging of existing files on the compromised computer into self extracting archive files. The technique works in the following manner.

A. The worm scans all shared and removable drives searching for .exe and .msi files that have the following strings in their file names:
  • activa
  • crack
  • inst
  • keygen
  • setup
B. It then takes the original targeted filename (for example instmsi.exe) and creates a new self extracting archive file containing a copy of the worm (document.jpg[MANY SPACES].exe) and also a copy of the original file.



C. The original file is deleted and the new self extracting archive file will be written to the same location replacing the original file.

If the new self extracting archive file is executed, the original file is dropped and executed as well as the file containing the worm. This makes it appear to the user as if only the original file is executed.

These self extracting archive files are detected by Symantec as W32.Ackantta!dr. Users should replace these files from a clean backup copy if they are required. Alternatively, Symantec have created a removal tool which can be used to repair these files.


2.5 Infecting Web server files
The final method by which Ackantta attempts to spread is by modifying the content served by Web servers to links to malicious web sites. This feature is new to the Ackantta family having been introduced since variant H.

Ackantta will check the compromised computer to see if an Apache or Internet Information Server (IIS) Web server is installed. If a suitable server is installed, it will identify the default page (e.g. index.html/index.htm) on the server and modify the contents of the page by injecting HTML into the file.

The HTML injected into the page will display the following message when the page is served:

Security warning!
Your browser affected by the DirectAnimation Path ActiveX vulnerability.
Please install the following MS09-092 hotfix in order to be able to watch this website.



The message contains a link that will download a copy of the worm instead of the promised security update. By using this method, Ackantta opens up yet another way for it to spread to other computers.



3. FUNCTIONALITY
The Ackantta worm is worm designed to create a profit for the people behind it. All of its actions are geared towards maximizing its share of Internet traffic, prolonging its stay on infected computers and thus increasing possible profits. It does this by using multiple methods to propagate as much as possible and also it attempts to stay undetected by attacking security software, creating space for it to operate.


3.1. System modifications
The following side effects may be observed on computers compromised by this worm. It should be noted that the worm may use a rootkit and other advanced stealth techniques to hide itself and its side effects. Upon successful installation and execution, many changes may not be visible on the compromised computer except where specialist tools are used to reveal them.


File creation
The following file(s) may be seen on the compromised computer:
  • %System%\vxworks.exe
  • %System%\qnx.exe
  • %Windir%\drm.ocx
  • %System%\javame1.1.exe
  • %System%\[RANDOM FILE NAME].dll
  • %System%\javawx.exe
  • %System%\javale.exe
  • %System%\sndmic32.exe
  • %System%\javapatch[TWO RANDOM NUMBERS].exe
  • %Windir%\snd.exe
  • %System%\SKYNET[EIGHT RANDOM CHARACTERS].dll
  • %System%\SKYNET[EIGHT RANDOM CHARACTERS].dll
  • %System%\SKYNET[EIGHT RANDOM CHARACTERS].dat
  • %System%\drivers\SKYNET[EIGHT RANDOM CHARACTERS].sys
  • %UserProfile%\Local Settings\Temp\test.htm
  • %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS].tmp
  • %System%\jvshed.exe
  • %System%\drivers\[RANDOM CHARACTERS].sys
  • %System%\javaload.exe
  • %System%\javavm.exe
  • %Temp%\[RANDOM CHARACTERS].tmp
  • %DriveLetter%\autorun.inf
  • %DriveLetter%\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
  • %DriveLetter%\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\Desktop.ini

File deletion
The following file(s) may be deleted from the compromised computer.
  • mcshield.exe
  • All files and folders specified in the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware\"InstallPath"

File modification
  • The default files served by Apache and IIS web servers may be modified to include an HTML block containing a link.
  • Certain .exe and .msi files may be replaced with a self executing archive file containing the original file and a copy of the worm.

Registry subkeys and entries created
  • HKEY_CURRENT_USER\Software\HP35
  • HKEY_LOCAL_MACHINE\Software\HP35
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SKYNET[EIGHT RANDOM CHARACTERS]
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FXS
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\solashit2
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\sunshit2
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\JQS16
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
  • HKEY_CURRENT_USER\Software\Microsoft\Installer
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\cavok
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control
  • Panel\Settings\"Time"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Wind River Systems" = "%System%\vxworks.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"QnX" = "%System%\qnx.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"QnX" = "%System%\qnx.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SunJava Updater v7" = "%System%\javale.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Sun Java Updater v7.4" = "%System%\javawx.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Audio Service" = "%System%\sndmic32.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Audio" = "%Windir%\snd.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"Windows Audio" = "%Windir%\snd.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\"StubPath" = "\"%Windir%\snd.exe\""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"SunJavaUpdateSched16" = "%System%\jvshed.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\"%System%\drivers\[RANDOM CHARACTERS]" = "%System%\drivers\[RANDOM CHARACTERS].sys"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"die6java" = "[RANDOM NUMBER]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"die6sun" = "[RANDOM NUMBER]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"hke8" = "[STRING]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"hke9" = "[STRING]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"HP Software Updater v1.4" = "[PATH TO EXECUTABLE]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[PATH TO EXECUTABLE]" = "[PATH TO EXECUTABLE]:*:Enabled:Explorer"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%System%\jvshed.exe" = "%System%\jvshed.exe:*:Enabled:Explorer"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%System%\"vxworks.exe" = "%System%\vxworks.exe:*:Enabled:Explorer"
  • KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%System%\"javale.exe" = "%System%\javale.exe:*:Enabled:Explorer"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%System%\javawx.exe" = "%System%\javawx.exe:*:Enabled:Explorer"

Registry subkeys/entries deleted
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ERSVC
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SBAMTray"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"sbamui"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"cctray"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"CAVRID"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"BDAgent"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"egui"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"avast!"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"AVG8_TRAY"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ISTray"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"K7SystemTray"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"K7TSStart"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SpIDerMail"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"DrWebScheduler"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"AVP"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"OfficeScanNT Monitor"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SpamBlocker"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Spam Blocker for Outlook Express"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"F-PROT Antivirus Tray application"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"RavTask"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"APVXDWIN"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SCANINICIO"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"McENUI"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MskAgentexe"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Defender"

Registry subkeys/entries modified (final values given)

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}\"StubPath" = "%System%\qnx.exe"" "
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\"free" = "12"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\"bsd" = "03"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\"CheckExeSignatures" = "0x1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\"RunInvalidSignatures" = "no"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"javastation1.1" = "02"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"ultrasparc1.1" = "25"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\"LowRiskFileTypes" = ".zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\"(Default)" = "[ENCRYPTED STRING]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1A10" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\"DisableSR" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"datarecovery" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"UACDisableNotify" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"EnableLUA"="0"

Processes
explorer.exe (code injection)


3.2. Network activity
The worm initially attempts to test Internet connectivity before it tries to contact a predetermined remote computer to download additional files.

Downloading
The worm may contact the following remote locations to download files:
  • web1.servebbs.org
  • childhe.com/pas/apstpldr[REMOVED]
  • 213.133.110.21

We have observed the worm downloading copies of Trojan.Vundo, Trojan.Awax and W32.Mozipowp.

Uploading
N/A

Testing Internet connectivity
The worm tries to make contact with the following URL to test Internet connectivity and retrieve the host IP address:
whatismyip.com/automation/n09230945.asp

Redirecting Web requests
In addition, the worm may also redirect Internet access if the requested URL contains any of the following strings:
  • .google.
  • .yahoo.com
  • .bing.com
  • .live.com
  • .ask.com
  • .aol.com
  • .google-analytics.com
  • .yimg.com
  • upload.wikimedia.org
  • img.youtube.com
  • .powerset.com
  • .aolcdn.com
  • .blinkx.com
  • .atdmt.com
  • .othersonline.com
  • .yieldmanager.com
  • .fimserve.com
  • .everesttech.net
  • .doubleclick.net
  • .adrevolver.com
  • .tribalfusion.com
  • .adbureau.net
  • .abmr.net

The worm may prevent access to the following sites:
  • aladdin.com
  • authentium.com
  • avast.com
  • avg.com
  • avp.com
  • bitdefender.com
  • ca.com
  • customer.symantec.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • eset.com
  • ewido.com
  • f-secure.com
  • free-av.com
  • global.ahnlab.com
  • grisoft.com
  • hispasec.com
  • ikarus-software.at
  • kaspersky-labs.com
  • kaspersky.com
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • mast.mcafee.com
  • mcafee.com
  • my-etrust.com
  • nai.com
  • networkassociates.com
  • pandasecurity.com
  • quickheal.com
  • securityresponse.symantec.com
  • sophos.com
  • symantec.com
  • trendmicro.com
  • us.mcafee.com
  • virus-buster.com
  • viruslist.com
  • virustotal.com


3.3 Turning off security
To try and prolong its stay on a compromised computer, the worm attempts to disrupt the operations of security related software. It tries to do this by performing the following actions:

  • Deleting files
  • Deleting registry subkeys and entries
  • Terminating processes and services
  • Manipulating the registry to allow it to bypass the firewall


Deleting files:
The threat attempts to delete files associated with security software. See section 3.1 for details.

Deleting registry subkeys and entries
The threat attempts to delete registry keys used by various security software. Deleting these registry subkeys/entries may disrupt the normal operations of the affected software or prevent them from starting. See section 3.1 for details of what is deleted.

Terminating processes and services
The worm also tries to disrupt the operation of security software by attempting to stop certain services and processes. It searches the services and process lists for recognized names and will attempt to stop or delete them if found.

The worm attempts to delete services with the following names:
  • antivirscheduler
  • AntiVirSchedulerService
  • antivirservice
  • aswupdsv
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
  • avg8emc
  • AVG8_TRAY
  • AVP
  • BDAgent
  • bdss
  • CaCCProvSP
  • ccEvtMgr
  • ccproxy
  • ccpwdsvc
  • ccsetmgr
  • CAVRID
  • DrWebScheduler
  • Ehttpsrv
  • ekrn
  • Emproxy
  • ERSvc
  • egui
  • FPAVServer
  • F-PROT Antivirus Tray application
  • GWMSRV
  • ISTray
  • K7EmlPxy
  • K7RTScan
  • K7SystemTray
  • K7TSMngr
  • K7TSStart
  • LIVESRV
  • LiveUpdate Notice Service
  • liveupdate
  • MBAMService
  • McAfee HackerWatch Service
  • mcmisupdmgr
  • mcmscsvc
  • MCNASVC
  • mcODS
  • mcpromgr
  • mcproxy
  • mcredirector
  • mcshield
  • mcsysmon
  • MPFSERVICE
  • MPS9
  • msk80service
  • McENUI
  • mcmisupdmgr
  • MskAgentexe
  • navapsvc
  • Norton AntiVirus
  • npfmntor
  • nscservice
  • OfficeScanNT Monitor
  • PANDA SOFTWARE CONTROLLER
  • PAVFNSVR
  • PAVPRSRV
  • PAVSVR
  • PSHOST
  • PSIMSVC
  • PSKSVCRETAIL
  • RavTask
  • RSCCenter
  • RSRavMon
  • Savadminservice
  • SAVScan
  • Savservice
  • sbamsvc
  • scan
  • sdauxservice
  • sdcodeservice
  • sndsrvc
  • Sophos Agent
  • Sophos Autoupdate Service
  • Sophos Certification Manager
  • Sophos Management Service
  • Sophos Message Router
  • spbbcsvc
  • SUM
  • Symantec Core LC
  • SBAMTray
  • SCANINICIO
  • Spam Blocker for Outlook Express
  • SpamBlocker
  • SpIDerMail
  • ThreatFire
  • TPSRV
  • VSSERV
  • WerSvc
  • WinDefend
  • wscsvc
  • XCOMM

The worm attempts to end the following processes:
  • AlMon.exe
  • ALSvc.exe
  • APvxdwin.exe
  • ashdisp.exe
  • ashserv.exe
  • avcenter.exe
  • avciman.exe
  • AVENGINE.exe
  • avgcsrvx.exe
  • avgemc.exe
  • avgnt.exe
  • avgrsx.exe
  • avgtray.exe
  • avguard.exe
  • avgui.exe
  • avgwdsvc.exe
  • avp.exe
  • avp.exe
  • bdagent.exe
  • bdss.exe
  • CCenter.exe
  • ccsvchst.exe
  • drweb32w.exe
  • drwebupw.exe
  • egui.exe
  • ekrn.exe
  • emproxy.exe
  • FPAVServer.exe
  • FprotTray.exe
  • FPWin.exe
  • guardgui.exe
  • HWAPI.exe
  • iface.exe
  • isafe.exe
  • K7EmlPxy.exe
  • K7RTScan.exe
  • K7SysTry.exe
  • K7TSecurity.exe
  • K7TSMngr.exe
  • livesrv.exe
  • mbam.exe
  • mcagent.exe
  • mcmscsvc.exe
  • McNASvc.exe
  • mcods.exe
  • mcpromgr.exe
  • McProxy.exe
  • Mcshield.exe
  • mcsysmon.exe
  • mcvsshld.exe
  • MpfSrv.exe
  • mps.exe
  • mskagent.exe
  • msksrver.exe
  • NTRtScan.exe
  • Pavbckpt.exe
  • PavFnSvr.exe
  • PavPrSrv.exe
  • PAVSRV51.exe
  • pccnt.exe
  • PSCtrlS.exe
  • PShost.exe
  • PsIMSVC.exe
  • psksvc.exe
  • Rav.exe
  • RavMon.exe
  • RavmonD.exe
  • RavStub.exe
  • RavTask.exe
  • RedirSvc.exe
  • SavAdminService.exe
  • SavMain.exe
  • SavService.exe
  • sbamtray.exe
  • sbamui.exe
  • SbeConsole.exe
  • seccenter.exe
  • spidergui.exe
  • SrvLoad.exe
  • TmListen.exe
  • TPSRV.exe
  • vetmsg.exe
  • vsserv.exe
  • Webproxy.exe
  • xcommsvr.exe


3.4. Additional functionality


Rootkit
Some variants of the worm may include rootkit functionality to hide its files and registry subkeys from the operating system.


Back door
Some variants of the worm may also open a back door so that a remote attack can access and control the compromised computer at a later time.


Key logging
Some variants of the worm may include functionality to capture key strokes entered by the user and store them in at the location below. The collected data is retrieved through the back door functionality.
%Windir%\drm.ocx


Displaying messages and popups
Some variants of Ackantta may display messages or popup windows such as a Christmas greeting to trick users in believing that a benigned file has just been executed.





4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:


Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Hon Lau
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver