Spreads via...
Removable drives
Worm:Win32/Metibh.A copies itself as Thumbs.lnk onto the root directory of drives C: through to Z:.
It sets the attributes of the file to "SYSTEM", "READONLY", and "HIDDEN".
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain instructions for the operating system so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
This is particularly common malware behavior, generally used in order to spread malware from computer to computer.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.
The worm also copies this autorun.inf file to <system folder>\arf.
Installation
When run, the worm checks if it is loaded as part of explorer.exe (a standard Windows operating file), 360tray.exe (a service that may be related to a Chinese security program), metabin2.bin or woool.dat (files that are related to a game client created by SNDA Corporation), or as a part of any other module or process.
Based on the context in which it is running, the worm carries out slightly different routines to install itself on your computer.
If the worm is loaded as part of 360tray.exe, it will close itself and not run. If it is running as metabin2.bin or woool.dat, it performs its payload as described in the Payload section. If it is running as part of any other process, it will close any windows with the following text in their title:
- Monitor
- Sysinternals
- Watcher
- 360
- code1984
- 监视 (English: Monitoring)
- 木马 (English: Trojan)
- 卫士 (English: Defender)
- 巡警 (English: Patrol)
It then drops a copy of itself as %windir%\ReSSDT.sys, creates a service with the name RESSDT and injects itself into explorer.exe.
Once the worm is loaded as part of explorer.exe it copies the following copies of itself and sets their attributes to "SYSTEM", "READONLY", and "HIDDEN":
- %system%\IPv6.dll
- %system%\NvCpl64.dll
- %system%\WinXP.bmp
- %system%\cryptnet21.dll
- %windows%\SoftwareDistribution\Uninstall.bin
It then looks for any windows with the following text, and closes those windows:
- Monitor
- Sysinternals
- Watcher
- 360
- code1984
- 监视 (English: Monitoring)
- 木马 (English: Trojan)
- 卫士 (English: Defender)
- 巡警 (English: Patrol)
It injects the file cryptnet21.dll into the Winlogon.exe process to ensure that the worm is run when you log on to Windows.
The worm drops the file cryptnet21.dll to the <system folder>. The worm modifies the following registry entry to ensure that the file runs at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet21
Sets value: Impersonate
With data: 0x00000000
Sets value: Asynchronous
With data: 0x00000000
Sets value: Startup
With data: WLSStartEvent
Sets value: DllName
With data: <system folder>\cryptnet21.dll
The worm also modifies the following registry entries to ensure that its copies run at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Microsoft\Windows\CurrentVersion\Run
Sets value: NvCpl
With data: "RunDll32.exe "<system folder>\NvCpl64.dll",NvStartup"
In subkey: HKLM\SOFTWARE\Microsoft\Microsoft\Windows\CurrentVersion\Windows
Sets value: AppInit_DLLs
With data: <system folder>\IPv6.dll
To ensure the threat is loaded whenever explorer.exe is run, it modifies the following registry entries:
In subkey: HKLM\SOFTWARE\Classes\CLSID\{00000231-1000-0010-8000-00AA006D2EA4}\InprocServer32
Sets value: Default
With data: <system folder>\WinXP.bmp
Sets value: ThreadingModel
With data: Apartment
In subkey: HKLM\SOFTWARE\Microsoft\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000231-1000-0010-8000-00AA006D2EA4}
Sets value: Default
With data: Thunder5BHO
To prevent hidden folders from being seen in Windows Explorer, it deletes the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden and then modifies the following registry key:
In subkey: HKLM\SOFTWARE\Microsoft\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: ShowSuperHidden
With data: 0
The worm ensures that it is installed correctly on your computer by checking for the presence of
<system folder>\WinXP.bmp. If that file exists, the worm injects it into
explorer.exe.
If that file doesn’t exist, then the worm searches for and attempts to copy the file <system folder>\SoftwareDistribution\Uninstall.bin as <system folder>\WinXP.bmp and then inject that into explorer.exe.
If the worm can not locate either of those files, it attempts to download a configuration file from one of the following URLs and save it as <system folder>\d_tmp.tp.
- www.1337mb.com/code1984/<removed>
- code1984.100free.com/<removed>.gif
- code1984.brinkster.net/Images/<removed>.gif
The worm uses the configuration file to find out where to download updated copies of itself, which it then saves as:
The worm modifies the following registry entry to record the date for when it last updated its files:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: LastUpdateYear
With data: <current year>
Sets value: LastUpdateMonth
With data: <current month>
Sets value: LastUpdateDay
With data: <current day>
Payload
Steals game client information
If the worm determines that it is part of metin2.bin or woool.dat (these are files that belong to a certain game client created by SNDA Corporation), it monitors information sent through the game client on ports 7000 and 7100, such as your username and password.
It stores this information in the registry key HKCR\CLSID\SaveInfo\<time since computer was started in milliseconds>, in the following subkeys:
The worm also creates the following registry key which it uses to determine if it has stored information or not:
In subkey: HKCR\CLSID\SaveInfo
Sets value: IsGamePlayer
With data: "1"
The worm sends the information it gathers by inserting the information into a URL that it gathers from the configuration file that it downloads.
Analysis by Karthik Selvaraj
