Worm Win32 Ogleon a
1. Summary:
Ogleon.a is a 282 kB long worm, spreading through removable media. It also creates and runs the Infostealer.Gampass trojan horse.
Aliases:
Symantec: W32.Ogleon.A
2. Detailed description:
After the first run, the Ogleon.a worm creates in the current directory (the directory where the binary resides) following files:
npptools.dll
Packet.dll
WanPacket.dll
and creates sys file (driver) in the Windows system directory:
%SYSTEM%\drivers\npf.sys
Worm Ogleon.a also creates number of other files in the Windows system directory:
%SYSTEM%\ctfnom.exe
%SYSTEM%\dh2103.dll
%SYSTEM%\dllhost32.exe
%SYSTEM%\ebspi.dll
%SYSTEM%\mh104.dll
%SYSTEM%\mosou.dll
%SYSTEM%\mosou.exe
%SYSTEM%\MsAudio.sys
%SYSTEM%\nwizdh.exe
%SYSTEM%\nwizfy.dll
%SYSTEM%\nwizfy.exe
%SYSTEM%\nwizhx2.dll
%SYSTEM%\nwizhx2.exe
%SYSTEM%\nwizqjsj.exe
%SYSTEM%\nwiztlbb.dll
%SYSTEM%\nwiztlbu.exe
%SYSTEM%\nwizwlwzs.dll
%SYSTEM%\nwizwlwzs.exe
%SYSTEM%\nwizwmgjs.dll
%SYSTEM%\nwizwmgjs.exe
%SYSTEM%\nwizzhuxians.dll
%SYSTEM%\nwizzhuxians.exe
%SYSTEM%\Ravasktao.dll
%SYSTEM%\Ravasktao.exe
%SYSTEM%\ztinetzt.dll
%SYSTEM%\ztinetzt.exe
%SYSTEM%\drivers\usbine.sys
All of these files contain the body of the trojan horse Infostealer.Gampass.
Worm Ogleon.a creates following keys in the run registry keys (not only HKLM) - a standard way how to get executed at each system startup:
[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"twin" = "%SYSTEM%\ctfnom.exe"
[HKLM \Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Autorun1" = "%SYSTEM%\nwizdh.exe"
"Microsoft Autorun3" = "%SYSTEM%\nwizhx2.exe"
"Microsoft Autorun4" = "%SYSTEM%\dllhost32.exe"
"Microsoft Autorun5" = "%SYSTEM%\mosou.exe"
"Microsoft Autorun7" = "%SYSTEM%\nwiztlbu.exe"
"Microsoft Autorun9" = "%SYSTEM%\Ravasktao.exe"
"Microsoft Autorun10" = "%SYSTEM%\nwizwmgjs.exe"
"Microsoft Autorun11" = "%SYSTEM%\nwizwlwzs.exe"
"Microsoft Autorun12" = "%SYSTEM%\nwizzhuxians.exe"
"Microsoft Autorun14" = "%SYSTEM%\ztinetzt.exe"
"Microsoft Autorun20" = "%SYSTEM%\nwizfy.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svc" = "%CURRENTFOLDER%\Googleon.exe"
Afterwards the worm Ogleon.a deletes the registry entry:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = ""
Ogleon.a searches the local drives for files with following extensions:
*.asp
*.aspx
*.htm
*.html
*.jsp
*.php
and writes text after the opening tag.
The worm may try to connect to the website yz1.micyosoft.net .
Worm Ogleon.a also creates a memory mutex named:
bat326exe
If it fails to create the mutex (meaning other instance of the worm is already running), it immediately terminates. This way it makes sure only one instance of the worm is in the memory at the same time.
3. Infection by removable media:
Worm Ogleon.a copies itself to the root (/) directory of all removable media attached to the computer under the name:
wsnctfy.exe
It also creates an autorun.inf file in the root directory to make the media run the worm after it gets mounted.
4. Cleaning:
- Reboot the PC into the safe mode.
- Delete following files:
%SYSTEM%\ctfnom.exe
%SYSTEM%\dh2103.dll
%SYSTEM%\dllhost32.exe
%SYSTEM%\drivers\npf.sys
%SYSTEM%\ebspi.dll
%SYSTEM%\mh104.dll
%SYSTEM%\mosou.dll
%SYSTEM%\mosou.exe
%SYSTEM%\MsAudio.sys
%SYSTEM%\nwizdh.exe
%SYSTEM%\nwizfy.dll
%SYSTEM%\nwizfy.exe
%SYSTEM%\nwizhx2.dll
%SYSTEM%\nwizhx2.exe
%SYSTEM%\nwizqjsj.exe
%SYSTEM%\nwiztlbb.dll
%SYSTEM%\nwiztlbu.exe
%SYSTEM%\nwizwlwzs.dll
%SYSTEM%\nwizwlwzs.exe
%SYSTEM%\nwizwmgjs.dll
%SYSTEM%\nwizwmgjs.exe
%SYSTEM%\nwizzhuxians.dll
%SYSTEM%\nwizzhuxians.exe
%SYSTEM%\Ravasktao.dll
%SYSTEM%\Ravasktao.exe
%SYSTEM%\ztinetzt.dll
%SYSTEM%\ztinetzt.exe
%SYSTEM%\drivers\usbine.sys
- Find and delete these files:
npptools.dll
Packet.dll
WanPacket.dll
- Delete the entry twin from the registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"twin" = "%SYSTEM%\ctfnom.exe"
- Delete the svc entry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svc" = "%CURRENTFOLDER%\Googleon.exe"
- Delete the entries Microsoft Autorun1 to Microsoft Autorun20 residing in this key:
[HKLM \Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Autorun1" = "%SYSTEM%\nwizdh.exe"
"Microsoft Autorun3" = "%SYSTEM%\nwizhx2.exe"
"Microsoft Autorun4" = "%SYSTEM%\dllhost32.exe"
"Microsoft Autorun5" = "%SYSTEM%\mosou.exe"
"Microsoft Autorun7" = "%SYSTEM%\nwiztlbu.exe"
"Microsoft Autorun9" = "%SYSTEM%\Ravasktao.exe"
"Microsoft Autorun10" = "%SYSTEM%\nwizwmgjs.exe"
"Microsoft Autorun11" = "%SYSTEM%\nwizwlwzs.exe"
"Microsoft Autorun12" = "%SYSTEM%\nwizzhuxians.exe"
"Microsoft Autorun14" = "%SYSTEM%\ztinetzt.exe"
"Microsoft Autorun20" = "%SYSTEM%\nwizfy.exe"
- Reboot the PC back into the normal mode
0 writebacks [10/28/2007 02:37]
[]
permanent link
|
