Worm:Win32/Esfury.O is a worm that spreads to all removable and network drives and connects to certain websites. The worm terminates and redirects certain processes and makes changes to the local "Hosts" file and Internet Explorer's start page. The worm changes other system settings that may lower the overall security of the computer.
Installation
When run, Worm:Win32/Esfury.O drops a copy of itself as the following:
For example, "c:\documents and settings\administrator\administrator1\winlogon.exe".
Worm:Win32/Esfury.O modifies the registry to run the worm copy if any of the following applications are executed:
|
_avp.exe
_avp32.exe
_avpcc.exe
_avpm.exe
_findviru.exe
a2servic.exe
ackwin32.exe
acs.exe
advxdwin.exe
agentsvr.exe
agentw.exe
ahnsd.exe
alerter.exe
alertsvc.exe
alogserv.exe
amon.exe
amon9x.exe
antigen.exe
anti-trojan.exe
antivirus.exe
ants.exe
apimonitor.exe
aplica32.exe
apvxdwin.exe
ashWebSv.exe
atcon.exe
atguard.exe
atro55en.exe
atupdater.exe
atwatch.exe
aupdate.exe
autodown.exe
autotrace.exe
autoupdate.exe
avcenter.exe
avconfig.exe
avconsol.exe
ave32.exe
avgcc32.exe
avgctrl.exe
avgemc.exe
avgnt.exe
avgserv.exe
avgserv9.exe
avguard.exe
avgw.exe
avkpop.exe
avkserv.exe
avkservice.exe
avkwcl9.exe
avkwctl9.exe
avnotify.exe
avnt.exe
avp.exe
avp32.exe
avpcc.exe
avpdos32.exe
avpexec.exe
avpinst.exe
avpm.exe
avpmon.exe
avpnt.exe
avptc32.exe
avpupd.exe
avrescue.exe
avscanavshadow.exe
avsched32.exe
avsynmgr.exe
avupgsvc.exe
avwebloader.exe
avwin95.exe
avwinnt.exe
avwsc.exe
avwupd32.exe
avxmonitor9x.exe
avxmonitornt.exe
avxquar.exe
avxw.exe
azonealarm.exe
bd_professional.exe
bidef.exe
bidserver.exe
bipcp.exe
bipcpevalsetup.exe
bisp.exe
blackd.exe
blackice.exe
boot.exe
bootwarn.exe
borg2.exe
bs120.exe
BullGuard.exe
callmsi.exe
ccapp.exe
ccevtmgr.exe
cclaw.exe
ccpxysvc.exe
ccsetmgr.exe
ccshtdwn.exe
cdp.exe
cfgwiz.exe
cfiadmin.exe
cfiaudit.exe
cfind.exe
cfinet.exe
cfinet32.exe
chrome.exe
ChromeSetup.exe
clamauto.exe
claw95.exe
claw95cf.exe
claw95ct.exe
clean.exe
cleaner.exe
cleaner3.exe
cleanpc.exe
cmd.exe
cmgrdian.exe
cmon016.exe
connectionmonitor.exe
consent.exe
cpd.exe
cpdclnt.exe
cpf.exe
cpf9x206.exe
cpfnt206.exe
crashreporter.exe
csinject.exe
csinsm32.exe
css1631.exe
ctrl.exe
cv.exe
cwnb181.exe
cwntdwmo.exe
defalert.exe
defscangui.exe
defwatch.exe
deputy.exe
Diskmon.exe
doors.exe
dpf.exe
drvins32.exe
drwatson.exe
drweb32.exe
dumphive.exe
dv95.exe
dv95_o.exe
dvp95.exe
dvp95_0.exe
earthagent.exe
ecengine.exe
ecls.exe
ecmd.exe
edi.exe
efinet32.exe
efpeadm.exe
egui.exe
EHttpSrv.exe
ekrn.exe
ent.exe
esafe.exe
escanh95.exe
escanhnt.exe
escanv95.exe
espwatch.exe
etrustcipe.exe
evpn.exe
ewido.exe
exantivirus-cnet.exe
exit.exe
expert.exe
explored.exe
fact.exe
f-agnt95.exe
fameh32.exe
fa-setup.exe
fast.exe
fch32.exe
fih32.exe
Filemon.exe
findviru.exe
firefox.exe
firewall.exe
FirewallControlPanel.exe
FirewallSettings.exe
fix-it.exe
flowprotector.exe
fnrb32.exe
FPAVServer.exe
fprot.exe
f-prot.exe
fprot95.exe
f-prot95.exe
fp-win.exe
fp-win_trial.exe
frw.exe
fsaa.exe
fsav.exe
fsav32.exe
fsav530stbyb.exe
fsav530wtbyb.exe
fsav95.exe
fsave32.exe
fsgk32.exe
fslaunch.exe
fsm32.exe |
fsma32.exe
fsmb32.exe
fssm32.exe
f-stopw.exe
fwenc.exe
fwinstall.exe
gbmenu.exe
gbpoll.exe
GenericRenosFix.exe
generics.exe
gibe.exe
GoogleToolbarInstaller_download_signed.exe
gpedit.exe
guard.exe
guarddog.exe
guardgui.exe
guardhlp.exe
hacktracersetup.exe
helper.exe
HJTInstall.exe
HostsChk.exe
htlog.exe
hwpe.exe
iamapp.exe
iamserv.exe
iamstats.exe
ibmasn.exe
ibmavsp.exe
icload95.exe
icloadnt.exe
icmon.exe
icmoon.exe
icssuppnt.exe
icsupp.exe
icsupp95.exe
icsuppnt.exe
IEDFix.exe
iface.exe
ifw2000.exe
iomon98.exe
iparmor.exe
iris.exe
isrv95.exe
jammer.exe
jed.exe
jedi.exe
kav8.0.0.357es.exe
kavlite40eng.exe
kavpers40eng.exe
kavsvc.exe
kerio-pf-213-en-win.exe
kerio-wrl-421-en-win.exe
kerio-wrp-421-en-win.exe
killprocesssetup161.exe
kis8.0.0.506latam.exe
kpf.exe
kpfw32.exe
ldnetmon.exe
ldpro.exe
ldpromenu.exe
ldscan.exe
licmgr.exe
localnet.exe
lockdown.exe
lockdown2000.exe
lookout.exe
lsetup.exe
luall.exe
luau.exe
lucomserver.exe
luinit.exe
luspt.exe
mcagent.exe
mcmnhdlr.exe
mcshield.exe
mctool.exe
mcuimgr.exe
mcupdate.exe
mcvsrte.exe
mcvsshld.exe
mdll.exe
mfw2en.exe
mfweng3.02d30.exe
mgavrtcl.exe
mgavrte.exe
mghtml.exe
mgui.exe
minilog.exe
monitor.exe
monsys32.exe
monsysnt.exe
monwow.exe
moolive.exe
mpfagent.exe
mpfservice.exe
mpftray.exe
mrflux.exe
MSASCui.exe
msblast.exe
msconfig.exe
msinfo32.exe
msn.exe
mspatch.exe
mssmmc32.exe
mu0311ad.exe
mwatch.exe
mxtask.exe
n32scan.exe
n32scanw.exe
nai_vs_stat.exe
nav32_loader.exe
nav80try.exe
navap.exe
navapsvc.exe
navapw32.exe
navauto-protect.exe
navdx.exe
naveng.exe
navengnavex15.exe
navex15.exe
navlu32.exe
navnt.exe
navrunr.exe
navsched.exe
navstub.exe
navw.exe
navw32.exe
navwnt.exe
nc2000.exe
ncinst4.exe
nd98spst.exe
ndd32.exe
ndntspst.exe
neomonitor.exe
neowatchlog.exe
netarmor.exe
netcfg.exe
netinfo.exe
netmon.exe
netscanpro.exe
Netscape.exe
netspyhunter-1.2.exe
netstat.exe
netutils.exe
nisserv.exe
nisum.exe
nmain.exe
nod32.exe
normist.exe
norton_internet_secu_3.0_407.exe
notstart.exe
npf40_tw_98_nt_me_2k.exe
npfmessenger.exe
nprotect.exe
npscheck.exe
npssvc.exe
nsched32.exe
ntdetect.exe
ntrtscan.exe
ntxconfig.exe
nui.exe
nupdate.exe
nupgrade.exe
nvapsvc.exe
nvarch16.exe
nvc95.exe
nvlaunch.exe
nvsvc32.exe
nwinst4.exe
nwservice.exe
nwtool16.exe
offguard.exe
ogrc.exe
opera.exe
Opera_964_int_Setup.exe
ostronet.exe
outpost.exe
outpostinstall.exe
outpostproinstall.exe
padmin.exe
panixk.exe
pathping.exe
pavcl.exe
pavproxy.exe
pavsched.exe
pavw.exe
pcc2002s902.exe
pcc2k_76_1436.exe
pccclient.exe
pccguide.exe
pcciomon.exe
pccmain.exe
pccntmon.exe
pccpfw.exe
pccwin97.exe
pccwin98.exe
pcdsetup.exe
pcfwallicon.exe
pcip10117_0.exe
pcscan.exe
pcscanpdsetup.exe
penis32.exe
periscope.exe
persfw.exe
perswf.exe
pf2.exe |
pfwadmin.exe
ping.exe
pingscan.exe
platin.exe
pop3trap.exe
poproxy.exe
popscan.exe
portdetective.exe
portmon.exe
portmonitor.exe
ppinupdt.exe
pptbc.exe
ppvstop.exe
prckiller.exe
Process.exe
processmonitor.exe
procexp.exe
procexplorerv1.0.exe
Procmon.exe
programauditor.exe
proport.exe
protectx.exe
pspf.exe
purge.exe
pview.exe
pview95.exe
qconsole.exe
qserver.exe
rapapp.exe
rav.exe
rav7.exe
rav7win.exe
rav8win32eng.exe
realmon.exe
regedit.exe
regedt32.exe
Regmon.exe
rescue.exe
rescue32.exe
Restart.exe
route.exe
routemon.exe
rrguard.exe
rshell.exe
rstrui.exe
rtvscn95.exe
rulaunch.exe
Safari.exe
safeweb.exe
sbserv.exe
scan32.exe
scan95.exe
scanpm.exe
sched.exe
schedapp.exe
scrscan.exe
scvhosl.exe
sd.exe
sdclt.exe
serv95.exe
setup_flowprotector_us.exe
setupvameeval.exe
sgssfw32.exe
sh.exe
sharedaccess.exe
shellspyinstall.exe
shn.exe
smc.exe
SmitfraudFix.exe
sofi.exe
spf.exe
sphinx.exe
spider.exe
spysweeper.exe
spyxx.exe
SrchSTS.exe
srwatch.exe
ss3edit.exe
st2.exe
supftrl.exe
supporter5.exe
sweep.exe
sweep95.exe
sweepnet.exe
sweepsrv.sys.exe
swnetsup.exe
swsc.exe
swxcacls.exe
symproxysvc.exe
symtray.exe
sysdoc32.exe
syshelp.exe
taskkill.exe
tasklist.exe
taskmgr.exe
taskmon.exe
taumon.exe
tauscan.exe
tbscan.exe
tc.exe
tca.exe
tcm.exe
tcpsvs32.exe
tds2.exe
tds2-98.exe
tds2-nt.exe
tds-3.exe
tfak.exe
tfak5.exe
tftpd.exe
tgbob.exe
titanin.exe
titaninxp.exe
tmlisten.exe
tmntsrv.exe
tracerpt.exe
tracert.exe
trjscan.exe
trjsetup.exe
trojantrap3.exe
UCCLSID.exe
undoboot.exe
unzip.exe
update.exe
updater.exe
UserAccountControlSettings.exe
VACFix.exe
vbcmserv.exe
vbcons.exe
vbust.exe
vbwin9x.exe
vbwinntw.exe
vccmserv.exe
vcleaner.exe
vcontrol.exe
vcsetup.exe
vet32.exe
vet95.exe
vet98.exe
vettray.exe
vfsetup.exe
vir-help.exe
virusmdpersonalfirewall.exe
vmsrvc.exe
vnlan300.exe
vnpc3000.exe
vpc32.exe
vpc42.exe
vpcmap.exe
vpfw30s.exe
vptray.exe
vscan.exe
vscan40.exe
vscenu6.02d30.exe
vsched.exe
vsecomr.exe
vshwin32.exe
vsisetup.exe
vsmain.exe
vsmon.exe
vsscan40.exe
vsstat.exe
vswin9xe.exe
vswinntse.exe
vswinperse.exe
vvstat.exe
w32dsm89.exe
w9x.exe
watchdog.exe
webscan.exe
webscanx.exe
webtrap.exe
wfindv32.exe
wgfe95.exe
whoswatchingme.exe
wimmun32.exe
wingate.exe
winhlpp32.exe
wink.exe
winmgm32.exe
winppr32.exe
winrecon.exe
winroute.exe
winservices.exe
winsfcm.exe
wmias.exe
wmiav.exe
wnt.exe
wradmin.exe
wrctrl.exe
WS2Fix.exe
wsbgate.exe
wyvernworksfirewall.exe
xpf202en.exe
xscan.exe
zapro.exe
zapsetup3001.exe
zatutor.exe
zatutorzauinst.exe
zauinst.exe
zlh.exe
zonalarm.exe
zonalm2601.exe
zonealarm.exe |
The worm defines itself as a debugger to intercept requests for the above listed applications by modifying the registry.
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<application>
Sets value: "Debugger"
With data: "<path of Worm:Win32/Esfury.O>\winlogon.exe"
Spreads via…
Removable and network drives
Worm:Win32/Esfury.O spreads to removable and network drives by dropping a copy of itself as the following:
as in this example:
-
\h3ojkih9lvfeffo0mg6hlxplglv3lyyjvhdzrr3dtlhen80dniepqxqy2sziakx2axtns4sa044lspkbmnv9qm\i3mrvq39rdbyh9hfkj9v01t5z3m0s5hp0i.exe
-
\h3ojkih9lvfeffo0mg6hlxplglv3lyyjvhdzrr3dtlhen80dniepqxqy2sziakx2axtns4sa044lspkbmnv9qm\s-4-7-01-4639107501-4494491267-104133574-7046\i3mrvq39rdbyh9hfkj9v01t5z3m0s5hp0i.exe
The worm creates additional files in the targeted drives:
The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Lowers Windows security
The worm modifies the registry to lower overall system security.
- Disables UAC notifications (User Access Controls):
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "UacDisableNotify"
With data: "1"
- Disables UAC "consent" dialog from displaying
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "ConsentPromptBehaviorAdmin"
With data: "0"
- Disables "beep" sound that may occur during certain important Windows events:
In subkey: HKCU\Control Panel\Sound
Sets value: "Beep"
With data: "no"
- Removes the Run command from the Start menu and the New Task (Run) command from Windows Task Manager:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoRun"
With data: "1"
- Disables System Restore and stops creating restore points
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "DisableSR"
With data: "1"
- Stops the System Restore service
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\sr
Sets value: "Start"
With data: "4"
- Prevents Windows Explorer from displaying files with "system" and "hidden" attributes even if specified in Explorer view options:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
- Stops Windows Security Center service:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4"
Terminates processes
Worm:Win32/Esfury.O attempts to terminate the following processes:
_avpm.exe
antivirus.exe
aupdate.exe
avgw.exe
avp.exe
avp32.exe
avpcc.exe
blackice.exe
cmd.exe
drweb32.exe
egui.exe
ekrn.exe
ElementClient.exe
YB_ONLINECLIENT.EXE
fsav.exe
navw32.exe
nod32.exe
persfw.exe
rav.exe
scan32.exe
zonealarm.exe
Modifies Internet Explorer settings
Worm:Win32/Esfury.O changes the start page of Internet Explorer by modifying the following registry entry:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://u-9-.0-9-5-2-g-n-3-s-.i-k-r-g-1-0-u-5-1-f-3-g-li-9-p-1-x-t-6-g-l-8-m-q-y-s-k-6-l.info"
In subkey: HKLM\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://3-3.-7-7-y-9-u-4-j-4-0-6-v-5-g-p-8-i-8-7-8-8-h-h-5-.5-b-e-n-t-f-p-p-7-1-1-0-7-c-q-0-3-00-6-u-7-t-1-n-y-q-u-f-u.info"
Modifies the Windows Hosts file
The local Hosts file, commonly stored as "<Windows folder>\system32\drivers\etc\hosts.", overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected computer's Hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example).
Connects to certain websites
Worm:Win32/Esfury.O may contact the following remote hosts using port 80:
-
whos.amung.us
-
www.whatismyip.org
-
www.cheaps1.info
Analysis by Dan Kurc
