What is TrustedSource? | Create Account | Login 
Secure Computing Corporation
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 

Malware Information

Malware nameWorm.Zhelatin.zi
TypeWorm
Affected platformWin32
Media-Typeapplication/executable
MD5 checksum9C70BE59ECBDFB9F71FF5136FBCFE704
Static fileno
Filesize90,624 Bytes
Alias names
(also known as)
SophosMal/Dorf-O
McAfeeW32/Nuwar@MM
CA ETrustWin32/Sintun.FK
Side effectsDrops files
Propagation
  • Email
  • Local network

Description:

Files

The following files are created:

– %WINDIR%\glok+serv.config This is a non malicious text file with the following content:
• [config]
[local]
[peers]
0000472DD17ECA4C2F0BB96FD7794A73=D9DA078C2AD400
01006023137DA429CD240A468A5CFB77=D3F6E118166700
0200AA5495413422502AAA57FB00CB2C=CA803A63585600
0300EA776E0AA0591202531C3F0D4F53=7647B0A8321700
04001B29A86C3570BF00D7351501460F=5C2E073C265300
0500A71EC719C622B27ADE6BE2416463=C879C5BC09A100
06001709255A3721431D0E69732E9551=3A4049CE049D00
0700F41EF75A8D012D7D1F0C894B2F55=7C6B254D23A300
0800BA60242320060233666E5C135067=3D11CBE4206900
09004D0B336B44757A3D475AB0355C6D=76449C14337400
0A0011554065B727F03B167C971C3136=599789651ABE00
0B0082735501391F296AFA369A3BA822=DEE1913F504B00
0C00387F7570B2105E017737C1283A7A=7B1600401B3300
0D00F67D3654AC6C35099F55A41C6E67=44979EC5589400


– %WINDIR%\glok+22bd-6274.sys Furthermore it gets executed after it was fully created. Detected as: Trojan.Rootkit.Gen

Registry

The following registry key is added in order to run the process after reboot:

– HKLM\System\ControlSet001\Services\glok+b89-6227
• %WINDIR%\glok+b89-6227.sys

Mailing

Avoid addresses:
It does not send emails to addresses containing one of the following strings:
• postmaster@; root@; @avp.; panda; abuse; @messagelab; free-av; @foo;
ntivi; admin; kasp; noone@; info@; help@; f-secur; @microsoft; rating@

Network Infection

In order to ensure its propagation the malware attemps to connect to other machines as described below.


IP address generation:
It creates random IP addresses and tries to establish a connection with them.

Rootkit Technology

It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own files
– Its own registry keys

– The following files:
• glok+22bd-6274.sys
• glok+serv.config

– The following registry keys:
• HKLM\System\ControlSet001\Services\glok+b89-6227
• HKLM\System\ControlSet001\Enum\Root\legacy_glok+b89-6227
• HKLM\System\ControlSet001\Enum\Root\LEGACY_GLOK+B89-6227\0000


Method used:
• Hidden from Interrupt Descriptor Table (IDT)

Hooks the following API functions:
• ZwEnumerateKey
• ZwEnumerateValueKey
• ZwQueryDirectoryFile

File details

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
Secure Computing Corporate Homepage | Contact | Privacy Policy | Disclaimer

Copyright © 2007-2008 Secure Computing Corporation. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND SECURE COMPUTING® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL SECURE COMPUTING® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT SECURE COMPUTING® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.