1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP W32.Mixor Worm Activity

HTTP W32.Mixor Worm Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Mixor worm activity which could result in the downloading and installation of worm updates.

Additional Information

Once executed, the worm copies itself as one of the following files:

* %System%\ppl.exe
* %System%\alsys.exe
* %System%\taskdir.exe
* %System%\adir.dll
* %System%\adirss.exe


It then drops the following file, which may be a copy of Trojan.Galapoper.A (MCID 7483) or Trojan.Peacomm (MCID 9802):
%CurrentFolder%\[7 RANDOM CHARACTERS].exe

The worm also copies itself as [RANDOM CHARACTERS].t into folders containing .exe and .scr files. It also infects .exe and .scr files in folders containing [RANDOM CHARACTERS].t.

It creates the following files:

* %System%\svcp.csv
* %System%\winsub.xml


The worm creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Agent" = "%System%\ppl.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Agent" = "%System%\ppl.exe"

or

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Agent" = "%System%\alsys.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Agent" = "%System%\alsys.exe"

The worm also adds the following registry entries so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"taskdir" = "%System%\taskdir.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"adir" = "%System%\adirss.exe"

The worm modifies the following registry entry to disable the Shared Access service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\"Start" = "4"

The worm ends security-related processes, if one of the following words is included in the window title:

* anti
* avg
* avp
* blackice
* f-pro
* firewall
* hijack
* lockdown
* mcafee
* msconfig
* nav
* nod32
* rav
* reged
* Registry Editor
* spybot
* taskmgr
* troja
* viru
* vsmon
* zonea


The worm then downloads an encrypted configuration file from the following location:
[http://]81.177.3.92/cntr[REMOVED]

The above configuration file further instructs it to download and execute various components from the following locations:

* [http://]81.177.3.169/dir/game[REMOVED]
* [http://]81.177.3.169/dir/game[REMOVED]
* [http://]81.177.3.169/dir/game[REMOVED]
* [http://]81.177.3.169/dir/game[REMOVED]


The worm then gathers email addresses from the Windows Address Book by checking the file linked to the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name

The worm also gathers email addresses from files with the following extensions on all fixed drives:

* .htm
* .txt
* .hta


The worm avoids sending emails to the following domains:

* .mil
* .gov


Next, the worm gathers email addresses from the following file types:

* .adb
* .asp
* .cfg
* .cgi
* .dat
* .dbx
* .dhtm
* .eml
* .htm
* .jsp
* .lst
* .mbx
* .mdx
* .mht
* .mmf
* .msg
* .nch
* .ods
* .oft
* .php
* .pl
* .sht
* .shtm
* .stm
* .tbb
* .txt
* .uin
* .wab
* .wsh
* .xls
* .xml


While gathering email addresses from the above file types, the worm disregards email addresses that contain any of the following strings:

* @avp.
* @foo
* @iana
* @messagelab
* @microsoft
* abuse
* admin
* anyone@
* bsd
* bugs@
* cafee
* certific
* contract@
* f-secur
* feste
* free-av
* gold-certs@
* google
* help@
* icrosoft
* info@
* kasp
* linux
* listserv
* local
* news
* nobody@
* noone@
* noreply
* ntivi
* panda
* pgp
* postmaster@
* rating@
* root@
* samples
* sopho
* spam
* support
* unix
* update
* winrar
* winzip


The worm then posts the above email addresses to the following location:
81.177.26.26\1.jpg

Next, the worm may be instructed to send infected messages to a number of email addresses using its own SMTP engine. The email may have the following characteristics:

From:
The From address is spoofed.

Subject:

* One of the following:
* 5 Reasons I Love You
* A Bouquet of Love
* A Day in Bed Coupon
* A Hug & Roses
* A Kiss for You
* A Kiss So Gentle
* A Little (sex) Card
* A Monkey Rose for You
* A Red Hot Kiss
* A Relaxing Coupon
* A Romantic Place
* A Song to You
* A Special Flower for You
* A Special Kiss
* A Sweet Love
* A Token of My Love
* A Weekend Getaway
* Against All Odds
* All For You
* All That Matters
* Angel of Love
* Annual Fun Forecast!
* Awaiting Your Love
* Baby New Year!
* Baby, I'll Be There
* Back Together
* Best Wishes For A Happy New Year!
* Between Us
* Bewitching Moonlight
* Brand New Love
* Breakfast in Bed Coupon
* Bubble Bath Coupon
* Can't Wait to See You!
* Crazy way to say I Luv U
* Cuddle Me Please
* Cuddle Up
* Cyber Love
* Dancing With You
* Dinner Coupon
* Doing It for You
* Dream Date Coupon
* Dream Girl
* Emptiness Inside Me
* Eternity of Your Love
* Evening Romance
* Every Inch of Your Body
* Everyone Needs Someone
* Falling In Love with You
* Feeling Horny?
* Fields Of Love
* For Better of For Worse
* For You
* For You....My Love
* Forever and Ever
* Forever in Love
* From this day forward
* Full Heart
* Fun 2007!
* Hand in Hand
* Happiness And Continued Success!
* Happiness In Everything!
* Happy New Year!
* Happy Times And Happy Memories!
* He Blessed Our Lives
* Heart is Breaking
* Heart of Mine
* Hey Cutie
* Hold Me (distant love)
* Hold On
* How Much I Love You
* Hugging My Pillow
* I Always Knew
* I am Complete
* I Am Lost In You
* I Believe
* I Can't Function
* I Dream of you
* I Give to You
* I Love Thee
* I Love You Mower
* I Love You Soo Much
* I Love You So
* I Love You with All I Am
* I Still Love You
* I Think of You
* I Win with You
* I wish
* I Woof You
* I Would Do Anything
* I Would Give you Anything
* I'll Be Your Man
* If I Could
* If I Knew
* In Love
* In My Heart
* Inside My Heart
* Internet Love
* It's Your Move
* Just You & Me
* Just You
* Kiss Coupon
* Kisses, Hugs & Roses
* Last Night was Hot!
* Let's Get Frisky
* Live With Me
* Longing for You
* Love at First Sight
* Love Birds
* Love for Granted
* Love is in the Air
* Love Remains
* Love You Deeply
* Made for Each Other
* Magic of Flowers
* Massage Coupon
* Memories
* Miracle of Love
* Moonlit Waterfall
* Most Beautiful Girl
* My Eye on You
* My Heart belongs to you
* My Heart is Thinking
* My Invitation
* My Love
* My Perfect Love
* New Year... Happy Year!
* Now and Forever
* Now I Know
* Old Together
* One of the following:
* Only You
* Our Love Everyday
* Our Love is Free
* Our Love
* Our Love is Strong
* Our love is torn by miles
* Our Love Nest
* Our Love Will Last
* Our Two Hearts
* Our Wedding Day
* P.M.S
* Passionate Kiss
* Peek-A-Boo
* Pockets of Love
* Promises Of Happy Times!
* Puppy Love
* Raising A Toast To Happy Times!
* Red Rose
* Romantic Picnic Coupon
* Rose for my Love
* Safe and Sound
* Safe With You
* Scale Greater Heights!
* Search for One
* Sending Kiss
* Sending You My Love
* Showers Of Love
* So in Love
* So Unique
* Solitary Beauty
* Someone at Last
* Soul Mates
* Soul Partners
* Sparkling Happiness And Good Times!
* Steamy Dream
* Steamy Sex Coupon
* Summer Love
* Take My Hand
* Teddy Bear & Roses
* Tender Whispers
* Thanks...Love
* That Special Love
* The Candle's Light
* The Dance of Love
* The Kiss
* The Letter
* The Long Haul
* The Love Bugs
* The Miracle of Love
* The Mood for Love
* The Sweet Taste of Love
* The Time for Love
* Thinking about you
* Thinking of You
* This Day Forward
* This Feeling
* Til the End of Time
* Till Morning's Light
* Till Morninig's Light
* Times Are Hard, I Luv U
* To New Spouse
* Together Again
* Together You and I
* Touched by Love
* True Love
* Trunk Full Of Love
* Twice Blest
* Twilight Paradise
* Two of a Kind
* Unique Love
* Unmatchable Beauty
* Until the Day
* Vacation Love
* Waiting for You
* Want to Meet?
* Want You to Know
* Warm New Year Hug!
* Warmest Wishes For New Year!
* We Are Different
* We Have Walked
* We're a Perfect Fit
* When I look at you
* When I'm With You
* When You Fall in Love
* Why I Love You
* Wild Nights--Wild Nights
* Will You?
* Window of Beauty
* Wine and Roses
* Wish I Could Tell You
* Wish Upon a Star
* With All My Love
* With All of My Heart
* With This Ring
* Without Your Love
* Won't you dance with me
* Words I Write
* Worthy of You
* Wrapped in Your Arms
* Wrapped Up
* You + Me
* You and I
* You and I Forever
* You Are My Guiding Star
* You are out of this world
* You Asked Me Why
* You Brighten My Day
* You Lucky Duck!
* You Rock Me!
* You Were Worth the Wait
* You're My Hero
* You're so Far Away
* You're Soo kissable
* You're the One
* Your Love Has Opened
* Your Silly Smile


Message body:
[BLANK]

Attachment:
One of the following:

* Flash Postcard.exe
* flashpostcard.exe
* Greeting Card.exe
* greeting postcard.exe
* greetingcard.exe
* greetingpostcard.exe
* postcard.exe

Affected

  • Windows

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
5. Reenable the SharedAccess service (Windows 2000/XP only).
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube