eScan : Secure � Scalable � Reliable : Antivirus, Content Security and Firewall Protection for Servers and Endpoints

A feature of these worms is that they are broken in components which use different attack vectors to infiltrate the user machine. Particularly there is a downloader component which arrives as attachment in e-mail which in turn downloads from a predefined list of sites other components and tries to execute them. It is very dangerous because the author could put other components (backdoors, password stealers, etc.) online any time and if the virus is running on the computer they will be downloaded and executed automatically! Below are the details of identified components. File sizes are used to identify them in this description rather that file names because they usually change / randomly generate their file names upon propagation. Also file sizes are only approximate because their author changes them on a periodic basis and there are multiple slightly different files with the same role.
1. File size: ~35 kilobytes
This component is a dropper which arrives as attachment in e-mails. Drops the following two files in the windows system directory: "winshost.exe" (component 1) and "wiwshost.exe" (component 2)."wishost.exe" is an identical copy of itself (component 1) and references are inserted in HKEY_CURRENT_USER\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHIN\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to ensure that this component is executed at every startup. Component 2 is a DLL which is injected in "explorer.exe" to bypass detection by desktop firewalls (which would report that explorer.exe is trying to access the internet).
2. File size: ~8 kilobytes
This component is dropped by Component 1 in the windows system directory and is inserted in explorer.exe. It does the following things:
╖ It resets the host file (found in \system32\drivers\etc) to the standard contents: 127.0.0.1 localhost
╖ Tries to stop the following services in the order presented in below (the fact that some services are present multiple times means that this component tries multiple times to terminate them) wuauserv, PAVSRV, PAVFNSVR, PSIMSVC, Pavkre, PavProt, PREVSRV, PavPrSrv, SharedAccess, navapsvc, NPFMntor, Outpost Firewall, SAVScan, SBService, Symantec Core LC, ccEvtMgr, SNDSrvc, ccPwdSvc, ccSetMgr.exe, SPBBCSvc, KLBLMain, avg7alrt, avg7updsvc, vsmon, CAISafe, avpcc, fsbwsys, backweb client - 4476822, backweb client-4476822, fsdfwd, F-Secure Gatekeeper, Handler Starter, FSMA, KAVMonitorService, navapsvc, NProtectService, Norton Antivirus Server, VexiraAntivirus, dvpinit, dvpapi, schscnt, BackWeb Client - 7681197, F-Secure Gatekeeper Handler Starter, FSMA, AVPCC, KAVMonitorService, Norman NJeeves, NVCScheduler, nvcoas, Norman ZANDA, PASSRV, SweepNet, SWEEPSRV.SYS, NOD32ControlCenter, NOD32Service, PCCPFW, Tmntsrv, AvxIni, XCOMM, ravmon8, SmcService, BlackICE, PersFW, McAfee Firewall, OutpostFirewall, NWService, alerter, sharedaccess, NISUM, NISSERV, vsmon, nwclnth, nwclntg, nwclnte, nwclntf, nwclntd, nwclntc, wuauserv, navapsvc, Symantec Core LC, SAVScan, kavsvc, DefWatch, Symantec AntiVirus Client, NSCTOP, Symantec Core LC, SAVScan, SAVFMSE, ccEvtMgr, navapsvc, ccSetMgr, VisNetic AntiVirus Plug-in, McShield, AlertManger, McAfeeFramework, AVExch32Service, AVUPDService, McTaskManager, Network Associates Log Service, Outbreak Manager, MCVSRte, mcupdmgr.exe, AvgServ, AvgCore, AvgFsh, awhost32, Ahnlab task Scheduler, MonSvcNT, V3MonNT, V3MonSvc, FSDFWD
╖ It creates two threads which run in the background and remove the registry keys presented below: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - the values: Symantec NetDriver Monitor, ccApp, NAV CfgWiz, SSC_UserPrompt, McAfee Guardian, McAfee.InstantUpdate.Monitor, APVXDWIN, KAV50, avg7_cc, avg7_emc, Zone Labs Client
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab
HKEY_LOCAL_MACHINE\SOFTWARE\Agnitum

Virus Information

Products

Partner

Support

About Us