Once executed, the worm drops the following files:
- %System%\wuclmi.exe (a hacktool)
- %System%\sevices.exe (a copy of wuclmi.exe)
- %System%\wincfg.exe (WinPCap libraries installer)
- %System%\capinstall.exe (a copy of wincfg.exe)
Next, the worm runs the file %System%\capinstall.exe in the background to install WinPCap libraries on the compromised computer. The installer will create some of the following clean files:
The worm waits until installation is finished and then it deletes the file %System%\capinstall.exe.
The worm then gathers the local subnet address, such as 192.168.1.x, and runs an ARP-poisoning attack on the local network to infect other computers. The attack uses WinPCap libraries to inject the following malicious IFRAME code into HTTP traffic of the local network:
The malicious IFRAME will be injected in Web pages viewed by other computers connected to the same local network. The IFRAME forces those computers to download the following exploits for Internet Explorer:
- [http://]www.if56.cn/ad.[REMOVED] (Microsoft Windows Graphics Rendering Engine GDI Local Privilege Escalation Vulnerability (BID 23273))
- [http://]1234.89111.cn/[REMOVED] (Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (BID 17462))
The exploits may download a copy of the worm or some additional malware.
It has been reported that W32.Arpiframe installs a copy of W32.Drom
downloaded from the following URLs:
It has been reported that variants of this threat also inject the following iframe:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":