Send us feedback
Thank you for your feedback
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Worm:Win32/Esfury
Published Nov 25, 2010
|
Updated Sep 15, 2017
Worm:Win32/Esfury
Detected by Microsoft Defender Antivirus
Aliases: Trojan.Win32.VBKrypt.umj (Kaspersky) W32/VBKrypt.AA (Norman) Trojan.Injector!mOVbCxSLuPw (VirusBuster) Trojan horse VB.2.AF (AVG) Worm/Esfury.A.266 (Avira) Trojan.Generic.4893617 (BitDefender) Trojan.Packed.21012 (Dr.Web) Worm.Win32.Esfury (Ikarus) Downloader-CJX.gen.j (McAfee) Trojan.Win32.Generic.5236547C (Rising AV) Worm.Win32.Esfury (Sunbelt Software) W32.Rontokbro!gen1 (Symantec) WORM_ESFURY.SMM (Trend Micro)
Summary
Worm:Win32/Esfury is a family of worms that may spread via Windows Live Messenger and removable drives. They modify the Hosts file and a number of security settings, as well as terminating and blocking access to a large number of processes. They may contact a remote server which may instruct them to download and execute arbitrary files.
To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Additional remediation instructions for Worm:Win32/Esfury
This threat may make lasting changes to a computer’s configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s:
- Changing your Internet Explorer Home Page:
- For Windows 7: http://windows.microsoft.com/en-us/windows7/Change-your-Internet-Explorer-home-page
- For Internet Explorer 7 and 8 in Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Change-your-Internet-Explorer-home-page
- For Internet Explorer 6: http://support.microsoft.com/kb/252464
- Resetting System Security Settings to default:
- For Windows XP and Vista: http://support.microsoft.com/kb/313222
- Viewing hidden and/or system files:
- For Windows 7: http://windows.microsoft.com/en-US/windows7/Show-hidden-files
- For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Show-hidden-files
- For Windows XP: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/win_fcab_show_file_extensions.mspx?mfr=true
- Enabling Windows Firewall:
- For Windows 7: http://windows.microsoft.com/en-US/windows7/Turn-Windows-Firewall-on-or-off
- For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Turn-Windows-Firewall-on-or-off
- For Windows XP: http://support.microsoft.com/kb/283673
- Enabling Windows Security Center/Action Center alerts:
- For Windows 7: http://windows.microsoft.com/en-us/windows7/What-happened-to-Windows-Security-Center
- For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Using-Windows-Security-Center
- For Windows XP: http://support.microsoft.com/kb/889737
- Correctly disabling Autorun in Windows: http://support.microsoft.com/kb/953252
- Recreating a clean Hosts file: http://support.microsoft.com/kb/972034
Threat behavior
Worm:Win32/Esfury is a family of worms that may spread via Windows Live Messenger and removable drives. They modify the Hosts file and a number of security settings, as well as terminating and blocking access to a large number of processes. They may contact a remote server which may instruct them to download and execute arbitrary files.
Installation
When run, Worm:Win32/Esfury copies itself to a location such as
%USERPROFILE%\<username>1\winlogon.exe (for example, C:\Documents and Settings\bob\bob1\winlogon.exe) or %USERPROFILE%\27f6471627473796e696d64614\winlogon.exe, and launches the new copy. This copy injects code into the system process "svchost.exe".
It may create registry entries such as the following, to ensure that it runs at each system start:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: NVIDIA Media Center Library
With data: <location of malware> (for example, %USERPROFILE%\<username>1\winlogon.exe)
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: NVIDIA Media Center Library
With data: <location of malware> (for example, %USERPROFILE%\<username>1\winlogon.exe)
Spreads via…
Instant messaging
The worm may send one of a number of messages to each of the user’s Windows Live Messenger contacts, suggesting that they visit a certain website. Should the recipient do so, the site, which masquerades as a music site, suggests they download and install some audio player software. At the time of publication, the downloaded file was an updated copy of Worm:Win32/Esfury.
Messages contain a string, randomly chosen, from one of the six below:
Escucha Musica Online de Tus Generos Favoritos
Hola!! En http://www.nueva*****.fm podrás encontrar: letras de canciones, vídeos de música, wallpapers música, foros de música
Nueva*****.FM es el sitio de musica a la carta con mayor cantidad de canciones musicas y lyrics para escuchar en diferentes generos
Escucha música gratis online, Internet radio y disfruta de los los últimos videos. Entérate de todas las novedades de la música en español
Lo mejor de la música, tus artistas favoritos, fotos, videos gratis, radio, fotos, ultimas noticias.
Musica del Recuerdo, portal dedicado exclusivamente a la musica del recuerdo, musica romantica, musica gratis y video clips.
The chosen string is then followed by:
Ingresa ahora a http://nueva*****.fm
Los videos mas Calientes de la Red! a un solo Click!
Visitame en http://nueva*****.fm
Removable drives
The malware periodically checks for the presence of removable drives on the affected systems, and, if found, will place a copy of itself at a location such as the following:
\h3ojKiH9lvFefkO0mG6HlXplgLV3LYYJVfdZRr3dtLhEN80DnzEPQXQY2sziakx2axTnS4SA0447SPkbMnv4Qm\ S-4-7-01-4639107501-4494491267-104133574-7046\o3mrVQz9rDByh9hfKJ9v01t5z3m0s5hP01.exe
Worm:Win32Esfury also places a file named "desktop.ini" in the same directory, which makes that directory appear in Windows Explorer as a recycle bin. It also places an "autorun.inf" file in the root directory of the affected drive. This has the effect that when the drive is newly attached to a system, an autoplay dialog will appear with a folder icon and the string "Abrir la carpeta para ver los archivos." If this option is selected, a copy of the malware will be launched.
All of these files and directories have their attributes set to 'read only', 'hidden', and 'system'.
Some variants also place a link file in the root directory of the targeted drive, with a file name such as "subst.lnk". This file links to the malware copy.
Payload
Contacts remote servers
The malware contacts a number of servers in order to retrieve information about the latest version of the malware, or other commands. This allows it to download and execute an update for itself, or other arbitrary files. Servers contacted include the following:
whos.amung.us
www.cheaps1.info
Modifies system settings
The malware changes a number of system settings by making registry modifications such as the ones below:
- Disable User Account Control notifications:
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "UacDisableNotify"
With data: "1"
- Disable certain Security Center settings and notifications:
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "AntivirusDisableNotify"
With data: "1"
Sets value: "AntivirusOverrride"
With data: "1"
Sets value: "FirewallDisableNotify"
With data: "1"
Sets value: "FirewallOverrride"
With data: "1"
Sets value: "FirstRunDisabled"
With data: "1"
Sets value: "UpdatesDisableNotify"
With data: "1"
Sets value: "UacDisableNotify"
With data: "1"
- Allow the performing of operations that requires elevated privileges without consent or credentials:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "ConsentPromptBehaviorAdmin"
With data: "0"
- Disable the LUA (Least Privileged User Account), also known as the "administrator in Admin Approval Mode" user type:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
Note: Disabling the LUA allows all applications to run by default with all administrative privileges, without the user being prompted for explicit consent.
Note: Disabling the LUA allows all applications to run by default with all administrative privileges, without the user being prompted for explicit consent.
- Disable secure desktop prompting. All credential or consent prompting will occur on the interactive user's desktop:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "PromptOnSecureDesktop"
With data: "1"
With data: "1"
- Disable the internal speaker beep:
In subkey: HKCU\Control Panel\Sound
Sets value: "Beep"
With data: "no"
- Remove the Run prompt from the Start Menu, and the Folder Option menu item from the Tools Menu of Windows Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoRun"
With data: "1"
Sets value: "NoFile"
With data: "1"
Sets value: "NoFolderOptions"
With data: "1"
- Disable System Restore and stop the System Restore service:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "DisableSR"
With data: "1"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\sr
Sets value: "Start"
With data: "4"
- Prevent the display of files that have 'system' and 'hidden' attributes, and the display of file name extensions in Windows Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
Sets value: "SuperHidden"
With data: "1"
Sets value: "Hidden"
With data: "2"
Sets value: "HideFileExt"
With data: "3"
- Disable the Windows Security Center service:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4"
- Disable the Windows firewall:
In subkey: HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
Sets value: "EnableFirewall"
With data: "0”
In subkey: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
Sets value: "EnableFirewall"
With data: "0"
- Disable the command prompt:
In subkey: HKCU\Software\Policies\Microsoft\Windows\System
Sets value: "DisableCMD"
With data: "1"
- Disable automatic restart after downloading Windows updates:
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Sets value: "NoAutoRebootWithLoggedOnUsers"
With data: "1"
- Disable the Window Script Host:
In subkey: HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings
In subkey: HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings
Sets value: "Enabled”
With data: "0"
- Attempt to prevent the system from booting into Safe Mode by deleting the following registry key, and any subkeys it contains:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Changes Internet Explorer start page
The malware attempts to change Internet Explorer’s start page and other default pages by making registry modifications similar to the following examples:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://g-3-a-k-0-x-8-6-e-n-d-p-4-s-d-x-g-6-9-v-9-n-v-2-3-2-8.-6-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info"
Sets value: "Local Page"
With data: "http://h.-x-.u-l-c-6-e-p-a-a-0-z-m-s-m-00-v-2-i-7-5-f-l-7-7-l-t-j-h-h-9.info"
Sets value: "Search Page"
With data: "http://9.-.u-l-c-6-e-p-a-a-0-z-m-s-m-00-v-2-i-7-5-f-l-7-7-l-t-j-h-h-9.info"
Sets value: "Default_Search_URL"
With data: "http://4-1-6-f-k-g-d-n-8-9-a-k-f-f-h-y-4-9-n-1.-6-y-r-.a-l-v-d-z-o0-n-x-6-v-0-q-q-m-7-g-d-z-7-7-o-b-m-7-z-4-a-q-0.info"
Sets value: "Default_Page_URL"
With data: "http://4-1-x-.s-4-2-0-x-o-8-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info"
In subkey: HKLM\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://b-q-h.-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info"
Sets value: "Local Page"
With data: "http://t-1-6-0-0-9-.k-8-.a-l-v-d-z-o0-n-x-6-v-0-q-q-m-7-g-d-z-7-7-o-b-m-7-z-4-a-q-0.info"
Sets value: "Search Page"
With data: "http://o-u-.1-7-g-5-f-z-s-9-.i-k-r-g-1-0-u-5-1-f-3-g-li-9-p-1-x-t-6-g-l-8-m-q-y-s-k-6-l.info"
Sets value: "Default_Search_URL"
With data: "http://d-e-g-4-8-g-8-3-9-c-j-4-8-9-m-i-e-0-3.-a-8-1-i-g-9-1-.u-l-c-6-e-p-a-a-0-z-m-s-m-00-v-2-i-7-5-f-l-7-7-l-t-j-h-h-9.info"
Sets value: "Default_Page_URL"
With data: "http://0-u-5-3-s-b-7-3.-2-t-9-j-j-.5-b-e-n-t-f-p-p-7-1-1-0-7-c-q-0-3-00-6-u-7-t-1-n-y-q-u-f-u.info"
URLs such as these are randomly chosen from a short list contained within the malware.
Closes windows
The malware monitors open windows and attempts to close them if their title contains a string from a specified list. This list may include the following:
|
|
|
Terminates and blocks access to processes
The malware may create a semaphore of "MSConfigRunning" in an attempt to prevent the startup of the MSConfig configuration tool.
It also creates a large number of registry entries similar to the following:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<file name of blocked file>
Sets value: "Debugger"
With data: "%USERPROFILE%\<username>1\winlogon.exe"
For example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp.exe
Sets value: "Debugger"
With data: "c:\documents and settings\bob\bob1\winlogon.exe"
The registry keys may contain any of the file names listed below. This has the effect of ensuring that when an attempt is made to run any of the files in question, a copy of the malware is run instead.
The malware also attempts to terminate processes with these file names if they are already running.
Processes targeted by the malware may include the following:
|
|
Modifies Hosts file
Worm:Win32/Esfury modifies the Windows Hosts file, which may be located at <system folder> /drivers/etc/hosts. The local Hosts file overrides the DNS resolution of a TCP domain to a particular IP address. The malware modifies the file in order to redirect specified domains to different IP addresses.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It redirects domains, such as the following in order to display content of its own choosing, should the user attempt to visit URLs hosted by these domains:
- viabcp.com
- www.viabcp.com
- bcpzonasegura.viabcp.com
- www.produbanco.com
- produbanco.com
- www.pichincha.com
- pichincha.com
- wwwp1.pichincha.com
- wwwp2.pichincha.com
- wwwp3.pichincha.com
- wwwp4.pichincha.com
- wwww01.pichincha.com
- wwww02.pichincha.com
- wwww03.pichincha.com
- wwww04.pichincha.com
- bn.com.pe
- www.bn.com.pe
- zonasegura1.bn.com.pe
- www.zonasegura1.bn.com.pe
- peliculasid.com
- www.peliculasid.com
It also redirects a number of mostly security-related domains, such as the following to a non-existent IP address, in an attempt to prevent the user from accessing content hosted by the domains:
|
|
Analysis by David Wood
Prevention
System changes
The following system changes may indicate the presence of this malware:
- The presence of the following files:
- The presence of the following registry modifications:
\h3ojKiH9lvFefkO0mG6HlXplgLV3LYYJVfdZRr3dtLhEN80DnzEPQXQY2sziakx2axTnS4SA0447SPkbMnv4Qm\ S-4-7-01-4639107501-4494491267-104133574-7046\o3mrVQz9rDByh9hfKJ9v01t5z3m0s5hP01.exe
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: NVIDIA Media Center Library
With data: <location of malware> (for example, %USERPROFILE%\<username>1\winlogon.exe)
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: NVIDIA Media Center Library
With data: <location of malware> (for example, %USERPROFILE%\<username>1\winlogon.exe)
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "UacDisableNotify"
With data: "1"
Sets value: "UacDisableNotify"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Sets value: "AntivirusDisableNotify"
With data: "1"
Sets value: "AntivirusOverrride"
With data: "1"
Sets value: "FirewallDisableNotify"
With data: "1"
Sets value: "FirewallOverrride"
With data: "1"
Sets value: "FirstRunDisabled"
With data: "1"
Sets value: "UpdatesDisableNotify"
With data: "1"
Sets value: "UacDisableNotify"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "ConsentPromptBehaviorAdmin"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "PromptOnSecureDesktop"
With data: "1"
With data: "1"
In subkey: HKCU\Control Panel\Sound
Sets value: "Beep"
With data: "no"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoRun"
With data: "1"
Sets value: "NoFile"
With data: "1"
Sets value: "NoFolderOptions"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "DisableSR"
With data: "1"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\sr
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\sr
Sets value: "Start"
With data: "4"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
Sets value: "SuperHidden"
With data: "1"
Sets value: "Hidden"
With data: "2"
Sets value: "HideFileExt"
With data: "3"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4"
In subkey: HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
Sets value: "EnableFirewall"
With data: "0”
In subkey: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
Sets value: "EnableFirewall"
With data: "0"
In subkey: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
Sets value: "EnableFirewall"
With data: "0"
In subkey: HKCU\Software\Policies\Microsoft\Windows\System
Sets value: "DisableCMD"
With data: "1"
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Sets value: "NoAutoRebootWithLoggedOnUsers"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings
In subkey: HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings
Sets value: "Enabled”
With data: "0"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://g-3-a-k-0-x-8-6-e-n-d-p-4-s-d-x-g-6-9-v-9-n-v-2-3-2-8.-6-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info"
Sets value: "Local Page"
With data: "http://h.-x-.u-l-c-6-e-p-a-a-0-z-m-s-m-00-v-2-i-7-5-f-l-7-7-l-t-j-h-h-9.info"
Sets value: "Search Page"
With data: "http://9.-.u-l-c-6-e-p-a-a-0-z-m-s-m-00-v-2-i-7-5-f-l-7-7-l-t-j-h-h-9.info"
Sets value: "Default_Search_URL"
With data: "http://4-1-6-f-k-g-d-n-8-9-a-k-f-f-h-y-4-9-n-1.-6-y-r-.a-l-v-d-z-o0-n-x-6-v-0-q-q-m-7-g-d-z-7-7-o-b-m-7-z-4-a-q-0.info"
Sets value: "Default_Page_URL"
With data: "http://4-1-x-.s-4-2-0-x-o-8-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info"
In subkey: HKLM\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://b-q-h.-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info"
Sets value: "Local Page"
With data: "http://t-1-6-0-0-9-.k-8-.a-l-v-d-z-o0-n-x-6-v-0-q-q-m-7-g-d-z-7-7-o-b-m-7-z-4-a-q-0.info"
Sets value: "Search Page"
With data: "http://o-u-.1-7-g-5-f-z-s-9-.i-k-r-g-1-0-u-5-1-f-3-g-li-9-p-1-x-t-6-g-l-8-m-q-y-s-k-6-l.info"
Sets value: "Default_Search_URL"
With data: "http://d-e-g-4-8-g-8-3-9-c-j-4-8-9-m-i-e-0-3.-a-8-1-i-g-9-1-.u-l-c-6-e-p-a-a-0-z-m-s-m-00-v-2-i-7-5-f-l-7-7-l-t-j-h-h-9.info"
Sets value: "Default_Page_URL"
With data: "http://0-u-5-3-s-b-7-3.-2-t-9-j-j-.5-b-e-n-t-f-p-p-7-1-1-0-7-c-q-0-3-00-6-u-7-t-1-n-y-q-u-f-u.info"
- The display of the following messages:
Escucha Musica Online de Tus Generos Favoritos
Hola!! En http://www.nueva*****.fm podrás encontrar: letras de canciones, vídeos de música, wallpapers música, foros de música
Nueva*****.FM es el sitio de musica a la carta con mayor cantidad de canciones musicas y lyrics para escuchar en diferentes generos
Escucha música gratis online, Internet radio y disfruta de los los últimos videos. Entérate de todas las novedades de la música en español
Lo mejor de la música, tus artistas favoritos, fotos, videos gratis, radio, fotos, ultimas noticias.
Musica del Recuerdo, portal dedicado exclusivamente a la musica del recuerdo, musica romantica, musica gratis y video clips.
Ingresa ahora a http://nueva*****.fm
Los videos mas Calientes de la Red! a un solo Click!
Visitame en http://nueva*****.fm
Follow us
