| Malware name | Worm.Khanani.A | | Type | Worm | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | B34FF2FC486000AB63926E4CA1B3AD92 | | Static file | yes | | Filesize | 180,224 Bytes | Alias names
(also known as) | | McAfee | W32/Bindo.worm | | CA ETrust | Win32/Malas.C |
| | Side effects | - Drops files
- Lowers security settings
- Registry modification
| | Propagation | - Mapped network drives
- Peer to Peer
|
|
Description:
Files
It copies itself to the following locations:
• %TEMPDIR%\svchost.exe
• %PROGRAM FILES%\Common Files\Microsoft Shared\MSshare.exe
• %home%\userinit.exe
• %WINDIR%\Web\OfficeUpdate.exe
•
%drive%:\autoply.exe
Sections are added to the following files.
– To: %ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Calculator.lnk With the following contents:
•
%code that runs malware%– To: %home%\Start Menu\Programs\Accessories\Notepad.lnk With the following contents:
•
%code that runs malware%– To: %home%\Start Menu\Programs\Accessories\Command Prompt.lnk With the following contents:
•
%code that runs malware% The following files are created:
– Non malicious files:
• %home%\Desktop\Important.htm
• %home%\My Documents\Important.htm
• %home%\Desktop\Iran_Israel.Jpg
• %home%\My Documents\Iran_Israel.Jpg
• %ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures\Iran_Israel.Jpg
–
%drive%:\Autorun.inf This is a non malicious text file with the following content:
•
%code that runs malware%– %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Office Update.lnk
– %WINDIR%\tasks\at1.job File is a scheduled task that runs the malware at predefined times.
– %WINDIR%\tasks\at2.job File is a scheduled task that runs the malware at predefined times.
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• SoundMax = %home%\userinit.exe
The values of the following registry keys are removed:
– [HKCR\lnkfile]
• IsShortCut
– [HKCR\piffile]
• IsShortCut
– [HKCR\InternetShortcut]
• IsShortCut
The following registry keys are changed:
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Old value:
• Hidden =
%user defined settings% • HideFileExt =
%user defined settings% • ShowSuperHidden =
%user defined settings% New value:
• Hidden = 2
• HideFileExt = 2
• ShowSuperHidden = 2
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• Nofolderoptions = 1
P2P
In order to infect other systems in the Peer to Peer network community the following action is performed:
– It searches for the following directories:
• %PROGRAM FILES%\Kazaa Lite\My Shared Folder\
• %PROGRAM FILES%\Kazaa\My Shared Folder\
• %PROGRAM FILES%\Edonkey2000\Incoming\
• %PROGRAM FILES%\Icq\Shared Files\
• %PROGRAM FILES%\emule\incoming\
• %PROGRAM FILES%\Gnucleus\Downloads\Incoming\
• %PROGRAM FILES%\KMD\My Shared Folder\
• %PROGRAM FILES%\Limewire\Shared\
• %PROGRAM FILES%\XPCode\
• C:\Inetpub\ftproot\
If successful, the following files are created:
• Sex_ScreenSaver.scr
• Sex_Game.exe
• SexGame.exe
• SexScreenSaver.scr
• SexGameList.pif
• Games.lnk
These files are copies of the malware itself.
The shared directory might look like the following:
File details
Programming language:
The malware program was written in MS Visual C++.
