1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W32.Svich Activity

System Infected: W32.Svich Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects traffic generated by W32.Svich which could lead to further infection of the affected system.

Additional Information

When the worm executes, it creates the following files:
%System%\autorun.ini
%System%\SSVICHOSST.exe
%Windir%\Tasks\At1.job
%Windir%\SSVICHOSST.exe
[DRIVE LETTER]:\New Folder.exe
[DRIVE LETTER]:\SSVICHOSST.exe


It also creates the following file so that it executes whenever the drive is accessed:
[DRIVE LETTER]:\autorun.inf

Next, the worm creates the following registry entries so that it executes whenever Windows starts:
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Run\"Yahoo Messengger" = "C:\WINDOWS\system32\SSVICHOSST.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe SSVICHOSST.exe"

It then modifies the following registry entries, which affect security settings:
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NofolderOptions" = "1"

The worm also uses the following command to start the threat everyday at 09:00:
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\WINDOWS\system32\SSVICHOSST.exe

Next, the worm attempts to download the following configuration files:
[http://]nhatquanglan3.t35.com/setti[REMOVED]
[http://]nhatquanglan3.t35.com/setti[REMOVED]
[http://]nhatquanglan4.t35.com/setti[REMOVED]
[http://]nhatquanglan4.t35.com/setti[REMOVED]

It stores the above files in the following location:
%System%\setting.ini

The above file contains URLs of more files to be downloaded and executed. The worm attempts to download these files every day and store them in the following locations:
%System%\check01.exe
%System%\check02.exe
%System%\check03.exe

Next, the worm sends one of the following messages to all online Yahoo! Messenger contacts:
E may, vao day coi co con nho nay ngon lam [http://]nhatquanglan1.0catch.com
Vao day nghe bai nay di ban [http://]nhatquanglan1.0catch.com
Vao day nghe bai nay di ban [http://]nhatquanglan1.0catch.com
Biet tin gi chua, vao day coi di [http://]nhatquanglan1.0catch.com
Trang Web nay coi cung hay, vao coi thu di [http://]nhatquanglan1.0catch.com
Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau? [http://]nhatquanglan1.0catch.com
Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa... [http://]nhatquanglan1.0catch.com
Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi... [http://]nhatquanglan1.0catch.com
Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo... [http://]nhatquanglan1.0catch.com
Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon... [http://]nhatquanglan1.0catch.com

The URL [http://]nhatquanglan1.0catch.com is the default URL. However this URL can be changed when the threat downloads the configuration files mentioned above.

The worm continuosly tries to end the following process:
game_y.exe

The worm then searches through all folders on all drives. It then copies itself to every folder as the same name of any subfolders it finds. For example if the folder C:\temp\ contained the following folders:
C:\temp\myfolder1
C:\temp\myfolder2

The threat will then copy itself to:
C:\temp\myfolder1.exe
C:\temp\myfolder2.exe

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube