1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Worm W32.PYKSPA.D

HTTP Worm W32.PYKSPA.D

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects the traffic generated by W32.Pykspa.D caused by users being infected by clicking on IM messages generated by the worm.

Additional Information

When W32.Pykspa.D runs, it displays the %Windir%\Soap Bubbles.bmp graphic file, if it already exists on the compromised computer.

The worm creates the following mutex so that only one instance of the worm runs at a time:
pyksp2.0.0.3gM-2oo8&-825190

It then copies itself to the following files:

* %System%\mshtmldat32.exe
* %System%\sdrivew32.exe
* %System%\winlgcvers.exe
* %System%\wndrivs32.exe



The worm creates following registry entries, so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"Services Start" = "mshtmldat32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Windows Sys" = "explorer.exe mshtmldat32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Logon Settings" = "mshtmldat32.exe

It then modifies the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"Policies Options" = "6D 00"

The worm also creates the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\RMX\cfg

The worm then terminates any processes it finds with the following names:

* _AVP32
* _AVPCC
* _AVPM
* 53ARCH
* ACKWIN32
* ADAWARE
* ADVXDWIN
* AGENTSVR
* AGENTW
* ALERTSVC
* ALEVIR
* ALOGSERV
* AMON
* AMON9X
* ANTI-TROJAN
* ANTIVIRUS
* ANTS
* APIMONITOR
* APLICA32
* APORTS
* APVXDWIN
* ARMKILLER
* ARR
* ATCON
* ATGUARD
* ATRO55EN
* ATUPDATER
* ATUPDATER
* ATWATCH
* AUPDATE
* AUPDATE
* AUTODOWN
* AUTODOWN
* AUTOTRACE
* AUTOTRACE
* AUTOUPDATE
* AUTOUPDATE
* AVCONSOL
* AVE32
* AVGCC32
* AVGCTRL
* AVGNT
* AVGSERV
* AVGSERV9
* AVGUARD
* AVGW
* AVKPOP
* AVKSERV
* AVKSERVICE
* AVKWCTl9
* AVLTMAIN
* AVNT
* AVP
* AVP32
* AVPCC
* AVPDOS32
* AVPM
* AVPTC32
* AVPUPD
* AVPUPD
* AVSCHED32
* AVSYNMGR
* AVWIN95
* AVWINNT
* AVWUPD
* AVWUPD32
* AVWUPD32
* AVWUPSRV
* AVXMONITOR9X
* AVXMONITORNT
* AVXQUAR
* AVXQUAR
* BACKWEB
* BARGAINS
* BCW
* BD_PROFESSIONAL
* BEAGLE
* BELT
* BIDEF
* BIDSERVER
* BIPCP
* BIPCPEVALSETUP
* BISP
* BLACKD
* BLACKICE
* BLSS
* BOOTCONF
* BOOTWARN
* BORG2
* BPC
* BRASIL
* BS120
* BUNDLE
* BVT
* CCAPP
* CCEVTMGR
* CCPXYSVC
* CDP
* CFD
* CFGWIZ
* CFIADMIN
* CFIAUDIT
* CFIAUDIT
* CFINET
* CFINET32
* Claw95
* CLAW95CF
* CLAW95CF
* CLEAN
* CLEANER
* CLEANER3
* CLEANPC
* CLICK
* CLIENT
* CMD32
* CMESYS
* CMGRDIAN
* CMON016
* CONDOM
* CPD
* CPF9X206
* CPFNT206
* CRACKER
* CTRL
* CWNB181
* CWNTDWMO
* DATEMANAGER
* DCOMX
* DEFALERT
* DEFSCANGUI
* DEFWATCH
* DEPUTY
* DIVX
* DLLCACHE
* DLLREG
* DOORS
* DPF
* DPFSETUP
* DPPS2
* DRWATSON
* DRWEB32
* DRWEBUPW
* DSSAGENT
* DUMP
* DVP95
* DVP95_0
* ECENGINE
* EFPEADM
* EMSW
* ENT
* ESAFE
* ESCANH95
* ESCANHNT
* ESCANV95
* ESPWATCH
* ETHEREAL
* ETRUSTCIPE
* EVPN
* EXE.AVXW
* EXPERT
* EXPLORE
* F-AGNT95
* F-AGOBOT
* F-PROT
* F-PROT95
* F-STOPW
* FAMEH32
* FAST
* FCH32
* FIH32
* FINDVIRU
* FIREWALL
* FLOWPROTECTOR
* FNRB32
* FP-WIN
* FP-WIN_TRIAL
* FPORT
* FPROT
* FRHED
* FRW
* FSAA
* FSAV
* FSAV32
* FSAV530STBYB
* FSAV530WTBYB
* FSAV95
* FSGK32
* FSM32
* FSMA32
* FSMB32
* GATOR
* GBMENU
* GBPOLL
* GENERICS
* GMT
* GUARD
* GUARDDOG
* HACKTRACERSETUP
* HBINST
* HBSRV
* HIJACKTHIS
* HONEYD
* HOTACTIO
* HOTPATCH
* HTLOG
* HTPATCH
* HWPE
* HXDL
* HXIUL
* IAMAPP
* IAMSERV
* IAMSTATS
* IBMASN
* IBMAVSP
* ICESWORD
* ICLOAD95
* ICLOADNT
* ICMON
* ICSUPP95
* ICSUPP95
* ICSUPPNT
* IDLE
* IEDLL
* IEDRIVER
* IEXPLORER
* IFACE
* IFW2000
* IISLOCKD
* INETLNFO
* INFUS
* INFWIN
* INIT
* INTDEL
* INTREN
* IOMON98
* IPARMOR
* IRIS
* ISASS
* ISRV95
* ISTSVC
* JAMMER
* JDBGMRG
* JEDI
* KAV
* KAVLITE40ENG
* KAVPERS40ENG
* KAVPF
* KAVSVC
* KAZZA
* KEENVALUE
* KERNEL32
* LAUNCHER
* LDNETMON
* LDPRO
* LDPROMENU
* LDSCAN
* LNETINFO
* LOADER
* LOADER
* LOCALNET
* LOCKDOWN
* LOCKDOWN2000
* LOGGER
* LOGVIEWER
* LOOKOUT
* LORDPE
* LSETUP
* LUALL
* LUALL
* LUAU
* LUCOMSERVER
* LUINIT
* LUSPT
* MAPISVC32
* MCAGENT
* MCMNHDLR
* MCSHIELD
* MCTOOL
* MCUPDATE
* MCUPDATE
* MCVSRTE
* MCVSSHLD
* MFIN32
* MFW2EN
* MFWENG3.02D30
* MGAVRTCL
* MGAVRTE
* MGHTML
* MGUI
* MINILOG
* MMOD
* MONITOR
* MOOLIVE
* MOSTAT
* MPFAGENT
* MPFSERVICE
* MPFTRAY
* MRFLUX
* MSAPP
* MSBB
* MSBLAST
* MSCACHE
* MSCCN32
* MSCMAN
* MSCONFIG
* MSDM
* MSDOS
* MSIEXEC16
* MSINFO32
* MSLAUGH
* MSMGT
* MSMSGRI32
* MSSMMC32
* MSSYS
* MSVXD
* MU0311AD
* MWATCH
* N32SCANW
* NAV
* NAVAP.NAVAPSVC
* NAVAPSVC
* NAVAPW32
* NAVDX
* NAVLU32
* NAVNT
* NAVSTUB
* NAVW32
* NAVWNT
* NC2000
* NCINST4
* NDD32
* NEOMONITOR
* NEOWATCHLOG
* NETARMOR
* NETD32
* NETINFO
* NETMON
* NETSCANPRO
* NETSTAT
* NETUTILS
* NISSERV
* NISUM
* NMAIN
* NOD32
* NOD32CC
* NOD32KRN
* NOD32KUI
* NOD32M2
* NORMIST
* NOTSTART
* NPFMESSENGER
* NPROTECT
* NPSCHECK
* NPSSVC
* NSCHED32
* NSSYS32
* NSTASK32
* NSUPDATE
* NTRTSCAN
* NTVDM
* NTXconfig
* NUI
* NUPGRADE
* NUPGRADE
* NVARCH16
* NVC95
* NVSVC32
* NWINST4
* NWSERVICE
* NWTOOL16
* OLLYDBG
* OLLYDBG
* ONSRVR
* OPTIMIZE
* OSTRONET
* OTFIX
* OUTPOST
* OUTPOST
* OUTPOSTINSTALL
* PADMIN
* PANIXK
* PATCH
* PAVCL
* PAVPROXY
* PAVSCHED
* PAVW
* PCC2002S902
* PCC2K_76_1436
* PCCIOMON
* PCCNTMON
* PCCWIN97
* PCCWIN98
* PCDSETUP
* PCFWALLICON
* PCIP10117_0
* PCSCAN
* PDSETUP
* PEDASM
* PENIS
* PERISCOPE
* PERSFW
* PERSWF
* pexplorer
* PF2
* PFWADMIN
* PGMONITR
* PINGSCAN
* PLATIN
* PMDUMP
* PMON
* POP3TRAP
* POPROXY
* POPSCAN
* PORTDETECTIVE
* PORTMONITOR
* POWERSCAN
* PPINUPDT
* PPTBC
* PPVSTOP
* PRIZESURFER
* PRMT
* PRMVR
* PROCDUMP
* PROCESSMONITOR
* PROCEXP
* PROGRAMAUDITOR
* PROPORT
* PROTECTX
* PSPF
* PURGE
* PUSSY
* PVIEW95
* QCONSOLE
* QSERVER
* RAPAPP
* RAV7
* RAV7WIN
* RAV8WIN32ENG
* RAY
* RB32
* RCSYNC
* REALMON
* REGCLEANER
* REGED
* REGEDIT
* REGEDT32
* RERGCLEANR
* RESCUE
* RESCUE32
* RRGUARD
* RSHELL
* RTVSCAN
* RTVSCN95
* RULAUNCH
* RUN32DLL
* RUNDLL
* RUNDLL16
* RUXDLL32
* SAFEWEB
* SAHAGENT
* SAVE
* SAVENOW
* SBSERV
* SCAM32
* SCAN32
* SCAN95
* SCANPM
* SCRSCAN
* SCRSVR
* SCVHOST
* SERV95
* SERVICE
* SERVLCE
* SERVLCES
* SETUPVAMEEVAL
* SFC
* SGSSFW32
* SHELLSPYINSTALL
* SHN
* SHOWBEHIND
* SMC
* SMS
* SMSS32
* SOAP
* SOFI
* SPERM
* SPF
* SPHINX
* SPOLER
* SPOOLCV
* SPOOLSV32
* SPYXX
* SREXE
* SRIN
* SRNG
* SS3EDIT
* SSG_4104
* SSGRATE
* ST2
* START
* STCLOADER
* SUPFTRL
* SUPPORT
* SUPPORTER5
* SVC
* SVCHOSTC
* SVCHOSTS
* SVSHOST
* SWEEP95
* SYMPROXYSVC
* SYMTRAY
* SYSEDIT
* SYSTEM
* SYSTEM32
* SYSUPD
* TASKMG
* TASKMO
* TASKMON
* TAUMON
* TBSCAN
* TCA
* TCM
* TCPVIEW
* TDS-3
* TDS2-98
* TDS2-NT
* TEEKIDS
* TEST
* TFAK
* TFAK5
* TGBOB
* TITANIN
* TITANINXP
* TRACERT
* TRICKLER
* TRJSCAN
* TRJSETUP
* TROJANTRAP3
* TSADBOT
* TVMD
* TVTMD
* UNDOBOOT
* UPDAT
* UPDATE
* UPDATE
* UPGRAD
* UTPOST
* VBCMSERV
* VBCONS
* VBUST
* VBWIN9X
* VBWINNTW
* VCSETUP
* VET32
* VET95
* VETTRAY
* VFSETUP
* VIR-HELP
* VNLAN300
* VNPC3000
* VPC32
* VPC42
* VPFW30S
* VPTRAY
* VSCAN40
* VSCENU6.02D30
* VSCHED
* VSECOMR
* VSHWIN32
* VSISETUP
* VSMAIN
* VSMON
* VSSTAT
* VSWIN9XE
* VSWINNTSE
* VSWINPERSE
* W32DSM89
* W32DSM89
* W9X
* WATCHDOG
* WEBDAV
* WEBSCANX
* WEBTRAP
* WFINDV32
* WGFE95
* WHOSWATCHINGME
* WIMMUN32
* WIN-BUGSFIX
* WIN32
* WIN32US
* WINACTIVE
* WINDBG
* WINDOW
* WINDOWS
* WINDUMP
* WININETD
* WININIT
* WININITX
* WINLOGIN
* WINMAIN
* WINNET
* WINPPR32
* WINRECON
* WINSERVN
* WINSSK32
* WINSTART
* WINSTART001
* WINTSK32
* WINUPDATE
* WKUFIND
* WNAD
* WNT
* WRADMIN
* WRCTRL
* WSBGATE
* WUPDATER
* WUPDT
* XPF202EN
* ZAPRO
* ZAPSETUP3001
* ZATUTOR
* ZONALM2601
* ZONEALARM


The worm modifies the hosts file by creating random IP addresses for each of the server entries listed below, effectively disabling access to the following security-related sites:

* antivirus.esaugumas.lt
* aonealarm.com
* avast.com
* avp.com
* barracudanetworks.com
* bitdefender.com
* bkav.com.vn
* boss.drweb.comdrweb.com
* ca.com
* customer.symantec.com
* dispatch.mcafee.com
* dnl-us[RANGE].kaspersky-labs.com
* download.mcafee.com
* download[RANGE].avast.com
* downloads-us1.kaspersky-labs.com
* downloads[RANGE].kaspersky-labs.com
* esaugumas.lt
* esecurity.lt
* eset.com
* f-secure.com
* free-av.com
* ftp.downloads[RANGE].kaspersky-labs.com
* grisoft.com
* grisoft.czfree.grisoft.com
* kaspersky-labs.com
* kaspersky.com
* kaspersky.ru
* liveupdate.symantec.com
* liveupdate.symantecliveupdate.com
* mast.mcafee.com
* mcafee.com
* microsoft.com
* msk[RANGE].drweb.com
* my-etrust.com
* nai.com
* networkassociates.com
* nod32-es.com
* nod32.com
* nod32.datsec.de
* nod32.de
* nod32.it
* nod32.nl
* norman.com
* pandasecurity.com
* pandasoftware.com
* rads.mcafee.com
* rs[RANGE].avast.com
* sandbox.norman.com
* secure.nai.com
* security.symantec.com
* s[RANGE].avast.com
* sophos.com
* symantec.comsecurityresponse.symantec.com
* trendmicro.com
* u[RANGE].eset.com
* update.symantec.com
* updates.symantec.com
* updates1.kaspersky-labs.com
* updates2.kaspersky-labs.com
* updates3.kaspersky-labs.com
* updates4.kaspersky-labs.com
* updates5.kaspersky-labs.com
* us.mcafee.com
* viruslist.com
* virusscan.jotti.org
* virustotal.com
* windowsupdate.microsoft.com
* www.antivirus.esaugumas.lt
* www.aonealarm.com
* www.avast.com
* www.avp.com
* www.barracudanetworks.com
* www.bitdefender.com
* www.bkav.com.vn
* www.boss.drweb.comdrweb.com
* www.ca.com
* www.customer.symantec.com
* www.dispatch.mcafee.com
* www.dnl-us[RANGE].kaspersky-labs.com
* www.dnl-us4.kaspersky-labs.com
* www.dnl-us5.kaspersky-labs.com
* www.dnl-us6.kaspersky-labs.com
* www.dnl-us7.kaspersky-labs.com
* www.dnl-us8.kaspersky-labs.com
* www.download.mcafee.com
* www.downloads-us1.kaspersky-labs.com
* www.downloads1.kaspersky-labs.com
* www.downloads2.kaspersky-labs.com
* www.downloads3.kaspersky-labs.com
* www.downloads4.kaspersky-labs.com
* www.downloads5.kaspersky-labs.com
* www.esaugumas.lt
* www.esecurity.lt
* www.eset.com
* www.f-secure.com
* www.free-av.com
* www.ftp.downloads1.kaspersky-labs.com
* www.ftp.downloads2.kaspersky-labs.com
* www.ftp.downloads3.kaspersky-labs.com
* www.ftp.downloads4.kaspersky-labs.com
* www.ftp.downloads5.kaspersky-labs.com
* www.grisoft.com
* www.grisoft.czfree.grisoft.com
* www.kaspersky-labs.com
* www.kaspersky.com
* www.kaspersky.ru
* www.liveupdate.symantec.com
* www.liveupdate.symantecliveupdate.com
* www.mast.mcafee.com
* www.mcafee.com
* www.microsoft.com
* www.msk1.drweb.com
* www.msk2.drweb.com
* www.msk3.drweb.com
* www.msk4.drweb.com
* www.my-etrust.com
* www.nai.com
* www.networkassociates.com
* www.nod32-es.com
* www.nod32.com
* www.nod32.datsec.de
* www.nod32.de
* www.nod32.it
* www.nod32.nl
* www.norman.com
* www.pandasecurity.com
* www.pandasoftware.com
* www.rads.mcafee.com
* www.sandbox.norman.com
* www.secure.nai.com
* www.security.symantec.com
* www.sophos.com
* www.symantec.comsecurityresponse.symantec.com
* www.trendmicro.com
* www.update.symantec.com
* www.updates.symantec.com
* www.updates1.kaspersky-labs.com
* www.updates2.kaspersky-labs.com
* www.updates3.kaspersky-labs.com
* www.updates4.kaspersky-labs.com
* www.updates5.kaspersky-labs.com
* www.us.mcafee.com
* www.viruslist.com
* www.virusscan.jotti.org
* www.virustotal.com
* www.windowsupdate.microsoft.com



Note: [RANGE] represents the range of numbers representing different server names

The worm then accesses the list of Skype contacts and sends a chat message to each contact. The worm checks the language settings of the Skype client and is capable of sending chat messages in different languages. The messages will take some form of the following:

* :S
* (devil)
* (happy)
* (mm) kaip as taves noriu
* (rofl)
* a ?
* as net nezinau ka tavo vietoj daryciau.
* cia biski su photoshopu pazaidziau bet bet irgi gerai atrodai :D
* cia tu isimetei ?
* esi?
* haha lol
* hey
* how are u ? :)
* I used photoshop and edited it
* kas cia tavim taip isderge ? =]]
* labas
* look
* look what crazy photo Tiffany sent to me,looks cool
* matai :D
* now u populr
* oh sry not for u
* oops sorry please don't look there :S
* ops
* pala biski
* patinka?
* really funny
* sky
* this (happy) sexy one
* u happy ?
* vgeras ane ?
* what ur friend name wich is in photo ?
* where I put ur photo :D
* you checked ?
* your photos looks realy nice
* zek kur tavo foto metos isdergta
* ziurek kur tavo foto imeciau :D


Note: At the time of writing, Latvian, Russian, and English have been observed.

The worm includes one of the following links that point to a copy of the worm as part of the chat message:
[http://]www.myimagespace.net/erotic-gallerys/usr5d8c/dsc02[REMOVED]
[http://]www.fakme.org/erotic-gallerys/usr5d8c/dsc02[REMOVED]

If a user clicks on above link, the worm downloads a copy of itself on to the compromised computer.

The worm then saves the downloaded file as the following file:
%System%\drnnctop.exe - detected as Infostealer

It attempts to copy itself as the following file:
zjbs.exe

The worm then attempts to copy itself to any removable drives it finds under the following name:
game.exe

The worm then creates autorun.inf in the same directory to launch the copy of the worm when the drive is accessed:
[REMOVABLE DRIVE LETTER]:\game.exe
[REMOVABLE DRIVE LETTER]:\autorun.inf

Affected

  • All Microsoft Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube