1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP W32 Relfeer Activity

HTTP W32 Relfeer Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Relfeer communicating and requesting information from it's controlling server.

Additional Information

When the worm executes, it drops and opens the following file:
%Temp%\PrgStart\[WORM FILE NAME].ppt

Next, the worm may create copies of itself with several of the following filenames:

* C:\WINDOWS\reloc32.exe
* C:\WINDOWS\system32\updates.exe
* C:\WINDOWS\system32\wandrv.exe
* C:\WINDOWS\system32\WAN_DR.ULD
* C:\WINDOWS\svhst32.exe
* %Temp%\config_.exe
* %Temp%\sysutil.exe
* %Start Menu%\Programs\Startup\[WORM FILE NAME].exe



The worm may also copy itself to file-sharing application folders using some of the following filenames:

* 21st Century Christmas - Cliff Richard_(self_extracting).exe
* A Moment like this - Leona Lewis_(self_extracting).exe
* A Movin' Movin' Train - Aaron Schroeder_(self_extracting).exe
* A Tried And Tested Method - The Longcut_(self_extracting).exe
* A Whole new World - Katie Price & Peter Andre_(self_extracting).exe
* Accident and Emergency - Patrick Wolf_(self_extracting).exe
* Adventure Rocket Ship - Robyn Hitchcock & The Venus 3_(self_extracting).exe
* Ahab - MC Lars_(self_extracting).exe
* Ain't It Strange - Dr. Dog_(self_extracting).exe
* All Fires - Swan Lake_(self_extracting).exe
* All good Things (Come to an End) - Nelly Furtado_(self_extracting).exe
* All the World is Waiting - Elf Power_(self_extracting).exe
* Always For You - The Album Leaf_(self_extracting).exe
* Always mine - The Morning After Girls_(self_extracting).exe
* Bush_LOH.exe
* Condalisa_Rise_porno.exe
* cooldemo.exe
* cool_mobile.exe
* demo_my_porno.exe
* do_not_copy_my.exe
* erotic_demo.exe
* GIRL_on_mobile.exe
* house_porno_demo.exe
* megasex.exe
* mega_porno_demo.exe
* mobile_demo.exe
* motorola_patch.exe
* new_mobile.exe
* new_motorola.exe
* new_nokia.exe
* new_samsung.exe
* new_siemens.exe
* new_SonyEricsson.exe
* nokia_patch.exe
* porno_demo.exe
* samsung_patch.exe
* sexy_girls_demo.exe
* siemens_patch.exe
* SonyEricsson_patch.exe
* white_house_porno_demo.exe



Next, the worm creates the following registry entries so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"Memory relocation service" = "C:\WINDOWS\reloc32.exe -rs"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\"Install part II" = "C:\WINDOWS\system32\updates.exe -o"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Microsoft Server Process" = "C:\WINDOWS\svhst32.exe -a"

The worm then checks for Internet connection trying to access the following location:
www.google.de

The worm may download and execute files via HTTP from the following locations:

* idalpi.freehostia.com
* iggywal.bravehost.com
* danubia.da.ohost.de
* idalpi.freehostia.com
* dennis483.de.funpic.de
* joshua2219.awardspace.com
* benny329.byethost33.com
* gavrinis.ga.ohost.de
* gravito.gr.funpic.de
* leosch10.madpage.com
* ibrahi5834.0catch.com
* ida2219.0catch.com
* igor28.0catch.com



The worm may also download one or more files via FTP from the following hosts:

* ftp.0catch.com
* renaldo241.0catch.com
* ws6.100ws.com

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube