Email-Worm:W32/Zhelatin.CQ
Name : Email-Worm:W32/Zhelatin.CQAlias: Email-Worm.Win32.Zhelatin.cq
Type: E-Mail Worm, Rootkit
Category: Malware
Platform: Microsoft Windows Win32
Date of Discovery: April 08, 2007
Radar Alert Level 2
Summary
The Zhelatin.CQ worm started to spread very late on April 8th, 2007. The worm spreads in e-mails with war-related subjects as an attachment named 'video.exe', 'movie.exe', 'click me.exe' and so on. The worm creates its own peer-to-peer network.
Detailed Description
After the worm's file is started by a user, it drops a randomly named file into the same folder where it was started from and runs it. This file installs a rootkit and p2p (peer-to-peer) component into the Windows System folder. The file name is wincom32.sys. The following startup key is created in the Registry for the dropped file:
[HKLM\System\ControlSet001\Services\wincom32]
@ = "%WinSysDir%\wincom32.sys"
The installed component has rootkit features: it hides its Registry keys and active process so that an anti-rootkit engine is needed to reveal them. In addition this component drops a text file named wincom32.ini into the Windows System folder. This file contains a list of clients for the worm's peer-to-peer network. The peer names and access ports are encoded. Here's an example of the file's contents:
[counter]
Counter=0
[peers]
003964D3640550573F800125725481EF=5326859A123900
004982069E5DB75721B54CFF33A26170=5955FC93123900
00A1836AE91D076BC265F9735204714F=451AAE831EBF00
The dropped file also has a blacklist area, but it's empty at the moment. The worm decodes the clients' addresses and access ports and connects itself to the peer-to-peer network. A significant number of UDP connections can be observed when the worm is trying to connect to its p2p network.
At the same time the worm's copy that stays in memory, starts its spreading cycle. It creates a mutex named klllekkdkkd and scans files on local hard disks for victims' e-mail addresses. The worm ignores e-mail addresses if they contain any of the following substrings:
microsoft
.gov
.mil
Then the worm starts to spread in e-mails. It sends messages with the following subjects to all found e-mail addresses:
USA Declares War on Iran
USA Missle Strike: Iran War just have started
Missle Strike: The USA kills more then 20000 Iranian citizens
Missle Strike: The USA kills more then 1000 Iranian citizens
Missle Strike: The USA kills more then 10000 Iranian citizens
Israel Just Have Started World War III
USA Just Have Started World War III
Iran Just Have Started World War III
As you see, the subjects are war-related, so it's a good social engineering trick. The worm always attaches itself to the e-mails that it sends out. The attachment names can be any of the following:
More.exe
Read More.exe
Click Here.exe
Click Me.exe
Read Me.exe
Movie.exe
News.exe
Video.exe
When a recipient of such e-mail opens the attachment, his/her computer becomes infected and the worm continues its spreading cycle.
The worm has a payload. It kills processes if they have the following substrings in their names:
mcafee
taskmgr
hijack
f-pro
lockdown
msconfig
firewall
blackice
avg
vsmon
zonea
spybot
nod32
reged
rav
nav
avp
troja
viru
anti
<< Home