Worm - Win32 - Svich - a
1. Summary:
Svich.a is a 244 kB long worm spreading through Yahoo! Instant Messenger and removable media.
It is capable of downloading other possibly dangerous applications from the Internet. It also lowers the level of security of the infected PC.
Aliases:
Symantec: W32.Svich
2. Detailed description:
After the first execution, the Svich.a worm creates a couple of files in the system directory.
%SYSTEM%\autorun.ini
%SYSTEM%\ssichosst.exe
%WINDIR%\ssichosst.exe
%WINDIR%\Tasks\At1.job
The 'ssichosst.exe' file contains the body of the worm.
The 'At1.job' file is a new task in the Task Scheduler of the Windows system. This task gets executed at 9 AM each day and secures the re-execution of the worm.
Worm Svich.a searches the local drives and copies it's body into each directory it finds.
The filename gets generated according to the content of the directory, mainly it's subdirectories.
Example:
In the C:\Downloads directory resides a subdirectory named:
C:\Downloads\WhitePages\
Worm Svich.a creates a file in the 'Downloads' directory named:
C:\Downloads\WhitePages.exe
It also creates "standard" registry run keys:
[HKAU\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo Messengger" = "C:\WINDOWS\system32\ssvichosst.exe"
and makes sure it gets ran by adding another entry into the Winlogon key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe ssvichosst.exe"
Worm Svich.a modifies following registry entries:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NofolderOptions" = "1"
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
This protects the worm by disabling directory properties, registry editor and task manager.
Worm Svich.a downloads it's configuration file from the Internet from one of the following urls:
nhatquanglan3.t35.com/setting.ini
nhatquanglan4.t35.com/setting.ini
This file gets stored in the system directory:
%SYSTEM%\setting.ini
The file can hold a list of urls (not more than 3) that the worm tries to contact in order to obtain another probably dangerous code. This process gets repeated on a daily basis. If it succeeds it stores the files in the system directory:
%SYSTEM%\check01.exe
%SYSTEM%\check02.exe
%SYSTEM%\check03.exe
If Svich.a finds that a process named 'game_y.exe' is running, the worm terminates it immediately.
3. Infection by removable media:
Svich.a copies itself into the root (/) directory of all removable media connected to the computer under one of the names:
New Folder.exe
ssvichosst.exe
To make sure it will run as soon as the media gets connected, it creates an autorun.inf file.
4. Spreading by Instant Messengers:
As mentioned earlier, the Svich.a worm spreads mainly using the Yahoo! Instant Messenger client.
It does this by using the client's contact list and sending a text containing a url. This url is responsible for installing the worm after it gets loaded by user's browser.
The text that gets sent along with the url is in Vietnamese and can be one of the following:
Biet tin gi chua, vao day coi di [url removed for security reasons]
E may, vao day coi co con nho nay ngon lam [url removed for security reasons]
Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa... [url removed for security reason]
Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo... [url removed for security reasons]
Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon... [url removed for security reasons]
Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi... [url removed for security reasons]
Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau? [url removed for security reasons]
Trang Web nay coi cung hay, vao coi thu di [url removed for security reasons]
Vao day nghe bai nay di ban [url removed for security reasons]
The attached url gets changed according to the stored configuration file mentioned in the previous sections.
4. Cleaning:
- Reboot the PC into the safe mode.
- Delete the files:
%SYSTEM%\autorun.ini
%SYSTEM%\check01.exe
%SYSTEM%\check02.exe
%SYSTEM%\check03.exe
%SYSTEM%\setting.ini
%SYSTEM%\ssichosst.exe
%SYSTEM%\ssvichosst.exe
%WINDIR%\ssichosst.exe
%WINDIR%\Tasks\At1.job
- Delete these files from the root of all removable media:
autorun.inf
New Folder.exe
ssvichosst.exe
- Delete the 'Yahoo Messengger' entry from the registry:
[HKAU\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo Messengger" = "C:\WINDOWS\system32\ssvichosst.exe"
- Delete the 'Shell' entry from the registry key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe ssvichosst.exe"
- Modify the entry 'NofolderOptions' from value '1' to '0':
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NofolderOptions" = "1"
- Modify the 'DisableTaskMgr' entry from value '1' to '0':
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
- Modify the entry 'DisableRegistryTools' from value '1' to '0':
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
- Reboot the computer back into the normal mode.
0 writebacks [10/23/2007 09:27]
[]
permanent link
|
