Worm:Win32/Tupym.A

Installation

When executed, Win32/Tupym copies itself to your computer as the following:

• %windir%\system3_.exe
• <system folder>\system3_.exe

It makes changes to the system registry so that it automatically runs every time you start your computer:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Yahoo Messengger"
With data: "<system folder>\system3_.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe system3_.exe"

It also tries to create a scheduled Windows task that runs the worm at 09:00 every day of the week, by running the following Windows shell command:

cmd.exe /C AT /delete /yes
cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <system folder>\system3_.exe

It also creates the following file in your computer:

• <system folder>\autorun.ini - detected as Win32/Tupym.A!inf

Payload

Contacts remote hosts

Win32/Tupym may contact the following remote hosts using port 80:

• h1.ripway.com
• www.balu000.0catch.com
• www.balu001.0catch.com
• www.balu002.0catch.com
• www.balu003.0catch.com
• www.balu004.0catch.com
• www.balu005.0catch.com
• www.balu006.0catch.com
• www.balu007.0catch.com

Commonly, malware may contact a remote host for the following purposes:

• To confirm Internet connectivity
• To report a new infection to its author
• To receive configuration or other data
• To download and execute arbitrary files (including updates or additional malware)
• To receive instruction from a remote attacker
• To upload data taken from the affected computer

Analysis by Scott Molenkamp