When
executed, the malware first ensures it will be launched on every system startup
by changing several registry keys.
If will include
itself in the windows firewall to seem more unobtrusive. Malware writers don’t
want their victims to know of their presence.
It will
then drop a rootkit into %windir%system32driversoqmihn.sys which will try to
kill several security suites. It will also change some registry keys associated
with these malware to disable their services. It also disables Taskmanager and
the Registry Editor.
Then it
drops and launches a keylogger into %windir%system3228463svchost.exe and is
detected as Trojan.Keylog.Ardamax.NAL.
It also
tries to connect to several URLs, which were unavailable at the time of
analysis:
http://89.149.227.194
http://SOSiTE_AVERI_SOSiTEEE.haha
http://kjwre77638dfqwieuoi.info
http://kukutrustnet777.info
http://pacwebco.com
http://pacwebco.com
http://www.freewebtown.com
http://www.kjwre9fqwieluoi.info
This worm
spreads using removable drives or can be downloaded from several websites.
If executed,
it will create a copy of itself in %windir%system32explorer.exe. If this copy
is executed, it will open the real explorer.exe and continue its evil
intentions.
It will
search for a file called wscft.exe located in the same folder from which it has
been launched from. If the file is found, it will be copied to
%windir%system32 as well.
The worm
also changes several registry keys to ensure it is being loaded at system
startup.
This worm
will periodically search for onlinegames related applications running on the
cumputer and terminate them. The targeted games are: Warcraft III,
Counter-Strike, NFS Underground 2, Crazy Arcade, O2-JAM, PopKart Client,
YB_OnlineClient, legend of mir2, CTRacer Client, Audition, Fly for Fun, Online,
QQGame.
In order to
further disguise itself it will use the version information of the legitimate
explorer.exe from the infected system.
Information
in this article is available courtesy of BitDefender virus researchers: Dana
Stanut and Ovidiu Visoiu
tags
November 14, 2024
September 06, 2024