Installation
This threat copies itself to one of the following locations with read-only, hidden and system attributes:
It also creates one of the following autorun files which we detect as Win32/Tupym.A!inf:
It changes the following registry entries so that it runs each time you start your PC:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Yahoo Messengger"
With data: "<worm copy>", for example, <system folder>\system3_.exe
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe <worm copy>", for example "explorer.exe <system folder>\system3_.exe"
It also tries to create a scheduled Windows task that runs the worm at 09:00 every day of the week, by running the following Windows shell command:
- C:\WINDOWS\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <worm copy>, for example C:\WINDOWS\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <system folder>\system3_.exe
Spreads through...
Network shares and removable drives
The worm enumerates connected shared drives by checking the value within the following registry subkey:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
It copies itself to the root of any discovered shared or removable drives as New Folder.exe. It also copies itself to all folders as <folder name>.exe, where <folder name> is the name of the current folder. It also copies its autorun.ini file as autorun.inf with read-only, hidden and system attributes.
Instant messenger clients
The worm checks if Yahoo Messenger is installed on your PC. If not, it will download and install the application. It adds its own id, for example balu311916, to the Yahoo Messenger contact list and then tries to send out spam messages to existing contacts. The message includes a URL link to a remote server that hosts the malware.
The message content is sourced from the malware configuration file _setting.ini, as outlined in the Payload section below.
If this worm fails to access the above file it will randomly select a message from following the hardcoded list:
- asl please" & @CRLF & "I am 23 Female, Delhi (India)" & @CRLF & "and you?
- golden lovers rose screen saver from advgoogle.<removed>.com/love.scr and see more from <malicious site>
- happy valentine day screen saver and beautiful screen saver from lovers advgoogle.<removed>.com/love.scr and <malicious site>
- happy valentine day screen saver from advgoogle.<removed>.com/love.scr and get new tips and tricks from <malicious site>
- happy valentine day screen saver from advgoogle.<removed>.com/love.scr and get new tips and tricks from <malicious site>
- happy valentine day screen saver from advgoogle.<removed>.com/love.scr and get new tips and tricks from <malicious site>
- happy valentine day screen saver from advgoogle.<removed>.com/love.scr and get new tips and tricks for lovers <malicious site>
- happy valentine day screen saver from advgoogle.<removed>.com/love.scr " & @CRLF & " and view secrets from private cam <malicious site>
- happy valentine day screen saver from advgoogle.<removed>.com/love.scr " & @CRLF & " and view secrets from private cam <malicious site>
- I LOVE YOUUUUUUUUUUUUU from screensaver advgoogle.<removed>.com/love.scr see more in <malicious site>
- rose is always red ,see in advgoogle.<removed>.com/love.scr screen saver from <malicious site>
The malware also checks if Google Talk is installed on your PC. If the application is found the worm will use it to send any of the messages listed above to your contacts.
Payload
Stops processes
This worm can stop the following utilities from running on your PC:
- Windows Task Manager
- Registry Editor
- System Configuration
- Windows Task Manager
- FireLion
It also terminates the following processes:
The malware won't stop any processes if the file C:\god.txt is found on your PC.
Deletes registry entries
The malware deletes the following registry entries:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BkavFw
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IEProtection
Removes restore points
The malware removes your system restore points by deleting the System Volume Information folder.
Connects to a remote host
This worm connects to the following servers to download its configuration file and updates:
- h1.ripway.com/<removed>/setting.ini
- balu[000 - 024].<removed>/setting.ini
The configuration file is saved to one of the following locations:
It saves its update file as to the same folders using a random file name that is specified in its configuration data.
Modifies web browser settings
The malware can change the Internet Explorer start and search pages to redirect to a malicious site. We have seen the worm redirect to the following locations:
- mydreamworld.<removed>.com
- advgoogle.<removed>.com
Additional information
The worm won't run if it detects the following PC names:
It also won't run if it detects the following file, used as an infection marker:
The presence of the following file will stop this threat from spreading:
Analysis by Diana Lopera