Installation
It creates copies of itself as the following:
- %ProgramFiles%\Windows Alerter\WinAlert.exe
- %ProgramFiles%\Windows Common Files\Commgr.exe
The folders where its copies are located are hidden.
It also creates a hidden copy of itself as the following:
- C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
It adds the following registry entries to ensure that its copy runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "WindowMessenger"
With data: "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Alerter"
With data: "%ProgramFiles%\Windows Alerter\WinAlert.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ""Windows Common Files Manager""
With data: "%ProgramFiles%\Windows Common Files\Commgr.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "WindowMessenger"
With data: "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Alerter"
With data: "%ProgramFiles%\Windows Alerter\WinAlert.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ""Windows Common Files Manager""
With data: "%ProgramFiles%\Windows Common Files\Commgr.exe"
Spreads via...
Removable drives
It periodically checks removable drives, for example, floppy drives, USB sticks, and flash card readers. If one is found, it copies itself into this drive, using the same file name as that of the running malware. It uses a folder icon for its copy in an attempt to trick you ito thinking that it is merely a folder.
Payload
Logs keystrokes
It may log keystrokes and save them in a file named "info", for example:
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\info
Terminates processes
It may terminate security-related processes on your PC, including:
- acs.exe
- agrs.exe
- anti-trojan.exe
- ants.exe
- aswboot.exe
- atwatch.exe
- avast.exe
- avengine.exe
- avgcc32.exe
- avgemc.exe
- avgfree.exe
- avgnt.exe
- avgsetup.exe
- avguard.exe
- avnt.exe
- avp.exe
- avpcc.exe
- avsched32.exe
- bdagent.exe
- blackice.exe
- btdfbr.exe
- btrl.exe
- btscan.exe
- ccapp.exe
- ccleaner.exe
- ccproxy.exe
- ccsvchost.exe
- cleaner.exe
- cmd.exe
- emlproui.exe
- emlproxy.exe
- fameh32.exe
- fch32.exe
- fih32.exe
- fnrb32.exe
- fsaa.exe
- fsav.exe
- fsav32.exe
- fsgk32.exe
- fsm32.exe
- fsma32.exe
- kavpf.exe
- kpf4ss.exe
- lockdown.exe
- mcnasvc.exe
- mcproxy.exe
- mcregist.exe
- mcshield.exe
- mcsysmon.exe
- mmc.exe
- mpfservice.exe
- msconfig.exe
- msmscsvc.exe
- navapsvc.exe
- navw32.exe
- nisserv.exe
- nisum.exe
- nod32.exe
- nod32krn.exe
- onlinent.exe
- opssvc.exe
- outpost.exe
- payfires.exe
- payproxy.exe
- pccntmon.exe
- persfw.exe
- qhunpack.exe
- quhlpsvc.exe
- realmon.exe
- reg.exe
- regedit.exe
- rstrui.exe
- scanner.exe
- scanwscs.exe
- sensor.exe
- siteadv.exe
- smc.exe
- tasklist.exe
- taskmgr.exe
- taumon.exe
- tds-3.exe
- tsnt2008.exe
- upschd.exe
- usbguard.exe
- vbcons.exe
- vsserv.exe
- vsstat.exe
- watchdog.exe
- ymsgrtray.exe
- zapro.exe
- zonealarm.exe
Changes Windows Explorer settings
This worm changes registry data to block the viewing of files with hidden and system file attributes, if the option is enabled in Windows Explorer.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
To data: "2"
Sets value: "HideFileExt"
To data: "1"
Sets value: "ShowSuperHidden"
To data: "0"
Sets value: "SuperHidden"
To data: "0"
Stops processes
This worm might stop the following processes, if found running in memory:
- taskmgr.exe - Windows Task Manager
- regedit.exe - Windows Registry Editor
- cmd.exe - Windows command prompt
Analysis by Jireh Sanico