1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP W32 Looksky Activity

HTTP W32 Looksky Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Looksky activity communicating and requesting information from its controlling server.

Additional Information

When W32.Looksky.E@mm is executed, it performs the following actions:

1. Copies itself as the following files:

* %Windir%\sachostx.exe
* %CurrentFolder%\temp.bak

Note:
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
* %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.

2. Drops the following additional files:

* %System%\attrib.ini (A file to store stolen information.)
* %System%\hard.lck (A zero-byte file that is not malicious.)
* %System%\msvcrl.dll (A keylogger component.)
* %System%\sachostb.exe (A back door component.)
* %System%\sachostc.exe (A proxy server.)
* %System%\sachostp.exe (A component which steals confidential information, such email user names and passwords, and saves the information in the file %System%\attrib.ini.)
* %System%\sachosts.exe (An HTTP proxy server.)
* %System%\sachostw.exe (The worm's mass-mailer component.)

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

3. Adds the value:

"HostSrv" = "%Windir%\sachostx.exe..."

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

4. Runs netsh.exe in the following usage in an attempt to bypass the firewall settings on the compromised computer for all the above files:

netsh firewall set allowedprogram [WORM FILE NAME] enable

5. Adds the following subkeys:

"%System%\sachostw.exe" = "%System%\sachostw.exe:*:Enabled:enable"
"%System%\sachostc.exe" = "%System%\sachostc.exe:*:Enabled:enable"
"%System%\sachostb.exe" = "%System%\sachostb.exe:*:Enabled:enable"
"%System%\sachosts.exe" = "%System%\sachosts.exe:*:Enabled:enable"
"%System%\sachostp.exe" = "%System%\sachostp.exe:*:Enabled:enable"
"%System%\sachostx.exe" = "%System%\sachostx.exe:*:Enabled:enable"

to the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
\StandardProfile\AuthorizedApplications\List

to modify the firewall settings.

6. May attempt to steal information, log keystrokes, and execute commands from a remote attacker.

7. Updates itself by downloading the following file to the temporary folder using a random file name beginning with tmx:

[http://]proxy4u.ws:8080/[REMOVED]/download.exe

8. Posts local system information to the following location:

[http://]proxy4u.ws/[REMOVED]

9. Gathers email addresses from the Windows Address Book and .htm files. It then sends out a copy of the worm as an email attachment. The email has the following characteristics:

Subject: Your mail Account is Suspended

Message Body:

We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

Attachment: acc_info1.exe

Affected

  • Microsoft Windows

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected.
4. Delete any values added to the registry.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube