|
Tuesday, 10 January 2006 |
W32.Looksky.G@mm is a mass-mailing worm that lowers security settings, opens a back door, and drops additional malware on the compromised computer.
Also Known As: WORM_LOCKSKY.AB [Trend Micro]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003
Damage
Payload Trigger: n/a
Payload: Opens a back door and downloads remote files.
Large scale e-mailing: Sends a copy of itself to email addresses gathered from the compromised computer.
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Modifies the firewall settings.
Distribution
Subject of email: Your mail Account is Suspended
Name of attachment: acc_info9.exe or ebay_info.exe
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Once executed, W32.Looksky.G@mm performs the following actions:
Copies itself as the following files:
%Windir%sachostx.exe
%CurrentFolder% emp.bak
Notes:
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt.
%CurrentFolder% is a variable that refers to the folder where the risk was originally executed.
Drops the following additional files:
%System%attrib.ini (a file to store stolen information)
%System%hard.lck (a zero-byte file that is not malicious)
%System%msvcrl.dll (a keylogger component that is a copy of W32.Looksky.A@mm)
%System%sachostc.exe (a proxy server)
%System%sachostp.exe (a component that steals compromised system information, email usernames, and passwords)
%System%sachosts.exe (an HTTP proxy server)
%System%sachostw.exe (a mass-mailer component that is a copy of W32.Looksky.F@mm)
%System%sachostb.exe (a back door component)
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Adds the value:
"HostSrv" = "%Windir%sachostx.exe"
to the registry subkey
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
so that it runs every time Windows starts.
Runs netsh.exe in the following usage in an attempt to bypass the firewall settings on the compromised computer for all the above files:
netsh firewall set allowedprogram [WORM FILE NAME] enable
Creates registry entries under the following subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess
ParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
to modify firewall settings and lower security settings.
Opens a back door and allows a remote attacker to perform unauthorized actions on the compromised computer.
Logs keystrokes and may steal confidential information from the compromised computer.
Operates as a covert proxy.
Updates itself by downloading the following files:
[http://]proxy4u.ws:8080/[REMOVED]/download.exe
[http://]proxy4u.ws:8080/[REMOVED]/update.htm
[http://]usproxy2u.ws:8080/[REMOVED]/download.exe
[http://]usproxy2u.ws:8080/[REMOVED]/update.htm
Saves the above files as:
%TEMP% mx[RANDOM CHARACTERS].exe
Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:WindowsTEMP (Windows 95/98/Me/XP) or C:WINNTTemp (Windows NT/2000).
Posts local system information to the following location:
[http://]proxy4u.ws/[REMOVED]
Gathers email addresses from the Windows Address Book and .htm files. It then sends out a copy of itself as an email attachment. The email has the following characteristics:
Subject: Your mail Account is Suspended
Message Body:
We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
Attachment:
One of the following:
acc_info9.exe
ebay_info.exe
To delete the value from the registry:
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
In the right pane, delete the value:
"HostSrv" = "%Windir%sachostx.exe"
Navigate to the subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess
ParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
Delete or reset the value in the right pane, if applicable.
Exit the Registry Editor.
|
