Worm:Win32/Rootcip.E is installed by a dropper, and may be accompanied by a rootkit identified as VirTool:WinNT/Rootkitdrv.CN. Win32/Rootcip.E spreads by copying itself to the root of all logical disks, including removable drives. VirTool:WinNT/Rootkitdrv.CN hides all malicious processes created by the worm, and disables a security firewall service.
Installation
When the dropper for Worm:Win32/Rootcip.E is run, it writes two files to the local drive - an image file, and the worm installer:
<system folder>\tmp0.bmp - graphical image
<system folder>\tmp1.exe - identified as Worm:Win32/Rootcip.E
The dropper opens the dropped graphical image as a distraction, in an effort to mask the installation of files onto the computer. The image shown may be different among samples, however an example image is shown below displaying a copy of an arrest warrant from Beijing, China police (the image has been edited)
The dropper launches the installer 'tmp1.exe' - it drops the following folder and files to the local drive:
<system folder>\_tdiserv_\
<system folder>\_tdiserv_\setup.exe - identified as Worm:Win32/Rootcip.E
<system folder>\_tdiserv_\_tdicli_.exe - identified as Worm:Win32/Rootcip.E
<system folder>\_tdiserv_\RecKey.dll - identified as Worm:Win32/Rootcip.E
<system folder>\_tdiserv_\TdiUpdate.sys - identified as VirTool:WinNT/Rootkitdrv.CN
<system folder>\_tdiserv_\autorun.inf - identified as Worm:Win32/Rootcip.E!inf
<system folder>\_tdiserv_\Config.dat - non-malicious by itself, configuration data file
%SystemDrive%\autorun.inf - identified as Worm:Win32/Rootcip.E!inf
The worm drops 'Packet.sys', then creates and starts it as a service with a display name of "Tdiserv Packet Driver" by adding these registry values with data:
Adds value: "_tdiserv_PACKET"
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Adds value: ImagePath
With data: <system folder>\_tdiserv_\TdiUpdate.sys
Adds value: Description
With data: Tdiserv Packet Driver
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_tdiserv_PACKET\
Spreads via…
Logical & Removable Drives
The worm writes a copy of itself as 'mc.config\setup.exe' into the root of all logical disks, which can include removable drives. In order to automatically run the dropped file, the worm writes a file 'autorun.inf' that is launched if the "autoplay" feature is enabled for drives attached or mounted. The data file is instructed to launch 'ms.config\setup.exe'.
Payload
Steals Sensitive Data
Worm:Win32/Rootcip.E.dr launches '_tdicli_.exe' - a component of the worm that gathers files of known data types, registers 'RecKey.dll', a keyboard and mouse logging monitor, to run at Windows start, and copies itself to the root of all logical discs.
Win32/Rootcip.E performs espionage by running a component '_tdicli_.exe'. This component gathers copies of files into a newly created folder in the path of the installed worm as:
<system folder>\_tdiserv_\SendFile\
Files gathered include documents and e-mail storage files with these file extensions: .wri, .wps, .doc and .dbx. The collected files are written as:
File.01.%06d.dat
File.02.%06d.dat
File.03.%06d.dat
File.04.%06d.dat
sPass%06.dat
The worm component writes additional folders for use described below:
<system folder>\_tdiserv_\CacheFile\
<system folder>\_tdiserv_\UnInfect\
<system folder>\_tdiserv_\Kill\
Other actions performed by the worm component '_tdicli_.exe':
Saves screenshots in ..\_tdiserv_\Cachefile as files named 'Screen.%06d.dat'
Creates a service with the name "_tdiserv_HOOK" used for communication with components
Drops a driver named 'tdi95dev.vxd' into the Windows system folder, then runs this driver as a service with a display name of "TdiTransferClient"
Drops a file 'Guid.txt' in ..\_tdiserv_\ containing GUIDs that reference existing library and executable files on the computer
Seeks files referenced in 'Guid.txt' and copies them to ..\_tdiserv_\SendFile, adding to the files already collected containing personal information and document data in this folder
The component 'RecKey.dll' monitors keyboard key stroke and mouse movement, and creates a log of events used for personal information data theft. Information captured can include logon sessions and sensitive information.
Downloads and Executes Arbitrary Files
Worm:Win32/Rootcip.E retrieves files from remote Web sites and executes them when received.
Deletes Files and Terminates Services
Worm:Win32/Rootcip.E may delete files stored in the folder ..\_tdiserv_\UnInfect\. Additionally, this worm may terminate the third-party firewall application ZoneAlarm.
Uses Advanced Stealth
This worm drops a kernel-mode rootkit component as 'TdiUpdate.sys'. Its purpose is to hide all malware files and processes that contain the strings '_tdicli_' or '_tdiserv_' in their names.
Additional Information
This threat may have been installed from a file received with .SCR or .CHM file extension.
