Worm:Win32/Enosch.A

Installation

The worm disguises itself by using non-executable file extensions such as .doc, .ppt or .mp3.

Some examples of filenames we have seen include:

• 00[0-9].JPG.exe
• personal a cargo de Yaomara.xls.exe
• 24Horas 3ª T 1º Episódio.avi.exe
• Thumbs.db.exe

When run, Worm:Win32/Enosch.A creates a copy of itself with the file name gupd.exe in the %USERPROFILE% folder. 

It also uses an icon that looks like a Windows folder icon to trick you into opening it. The malware is run when the file is opened.

This threat modifies the following registry entry to make sure it runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: gtalkupdate
With data: %USERPROFILE%\gupd.exe

Spreads via...

Local and network-shared folders

Worm:Win32/Enosch.A copies itself with the file name gupd.exe and with the Windows file icon to shared network folders.

It also spreads by searching local and network drives and copying itself to any executable files that it finds.

Removable drives

This threat may create a copy of itself on targeted removable drives when spreading.

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain instructions for the operating system so that when the removable drive is accessed from another computer supporting the autorun feature, the malware is launched automatically.

This is particularly common malware behavior, generally used in order to spread malware from computer to computer.

It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media. 

After it is installed, the worm checks that your computer is connected to the Internet by making a HTTP request to www.google.com/index.html.

Payload

Steals your information

The worm searches for .doc and .docx files on your computer. It then sends these documents, including any sensitive information contained within them, via email using smtp.google.com as the gateway. 

The email is sent to one of the following accounts:

• mamammmamamam@<removed>.com
• enoughschool@<removed>.com