Home / malware Worm:Win32/Esfury.W
First posted on 21 August 2012.
Source: MicrosoftAliases :
Worm:Win32/Esfury.W is also known as Win32/Injector.TCI (ESET), Trojan.Siggen4.10925 (Dr.Web), Trojan-Ransom.Win32.ZedoPoo.abn (Kaspersky).
Explanation :
Worm:Win32/Esfury.W is a worm that spreads via removable drives. The worm modifies the Hosts file and a number of security settings, and also terminates and blocks access to a large number of processes. It may also contact a remote server which may instruct it to download and execute arbitrary files. Worm:Win32/Esfury.W belongs to the Worm:Win32/Esfury family of worms.
Installation
When run, Worm:Win32/Esfury.W copies itself to the following location:
%USERPROFILE%\27f6471627473796e696d64614\winlogon.exe, for example, "C:\Documents and Settings\administrator\27f6471627473796e696d64614\winlogon.exe"
Note: %USERPROFILE% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the User folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>" or "C:\Users\<user>". For Windows Vista and 7, the default location is "C:\Users\<user name>".
Worm:Win32/Esfury.W runs the new copy.
The worm modifies the following entries to ensure that its copy runs at each Windows start:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random>"
With data: "<location of malware>" (for example, "C:\Documents and Settings\Administrator\27f6471627473796e696d64614\winlogon.exe")
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random>"
With data: "<location of malware>" (for example, "C:\Documents and Settings\Administrator\27f6471627473796e696d64614\winlogon.exe")
Worm:Win32/Esfury.W ensures the worm copy is executed when certain Windows applications are run, including - but not limited to - security products, Registry Editor and Task Manager. It does this by making the following registry modification:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<program name>
Sets value: "Debugger"
With data: "%USERPROFILE%\27f6471627473796e696d64614\winlogon.exe"
where <program name> may be any of the following:
_avp.exe
_avp32.exe
_avpcc.exe
_avpm.exe
_findviru.exe
a2servic.exe
ackwin32.exe
acs.exe
advxdwin.exe
agentsvr.exe
agentw.exe
ahnsd.exe
alerter.exe
alertsvc.exe
alogserv.exe
amon.exe
amon9x.exe
antigen.exe
anti-trojan.exe
antivirus.exe
ants.exe
apimonitor.exe
aplica32.exe
apvxdwin.exe
ashWebSv.exe
atcon.exe
atguard.exe
atro55en.exe
atupdater.exe
atwatch.exe
aupdate.exe
autodown.exe
autotrace.exe
autoupdate.exe
avcenter.exe
avconfig.exe
avconsol.exe
ave32.exe
avgcc32.exe
avgctrl.exe
avgemc.exe
avgnt.exe
avgserv.exe
avgserv9.exe
avguard.exe
avgw.exe
avkpop.exe
avkserv.exe
avkservice.exe
avkwcl9.exe
avkwctl9.exe
avnotify.exe
avnt.exe
avp.exe
avp32.exe
avpcc.exe
avpdos32.exe
avpexec.exe
avpinst.exe
avpm.exe
avpmon.exe
avpnt.exe
avptc32.exe
avpupd.exe
avrescue.exe
avscan.exe
avsched32.exe
avshadow.exe
avsynmgr.exe
avupgsvc.exe
avwebloader.exe
avwin95.exe
avwinnt.exe
avwsc.exe
avwupd32.exe
avxmonitor9x.exe
avxmonitornt.exe
avxquar.exe
avxw.exe
azonealarm.exe
bd_professional.exe
bidef.exe
bidserver.exe
bipcp.exe
bipcpevalsetup.exe
bisp.exe
blackd.exe
blackice.exe
boot.exe
bootwarn.exe
borg2.exe
bs120.exe
BullGuard.exe
callmsi.exe
ccapp.exe
ccevtmgr.exe
cclaw.exe
ccpxysvc.exe
ccsetmgr.exe
ccshtdwn.exe
cdp.exe
cfgwiz.exe
cfiadmin.exe
cfiaudit.exe
cfind.exe
cfinet.exe
cfinet32.exe
ChromeSetup.exe
clamauto.exe
claw95.exe
claw95cf.exe
claw95ct.exe
clean.exe
cleaner.exe
cleaner3.exe
cleanpc.exe
cmd.exe
cmgrdian.exe
cmon016.exe
ComboFix.exe
connectionmonitor.exe
cpd.exe
cpdclnt.exe
cpf.exe
cpf9x206.exe
cpfnt206.exe
csinject.exe
csinsm32.exe
css1631.exe
ctfmon.exe
ctrl.exe
cv.exe
cwnb181.exe
cwntdwmo.exe
defalert.exe
defscangui.exe
defwatch.exe
deputy.exe
Diskmon.exe
doors.exe
dpf.exe
drvins32.exe
drwatson.exe
drweb32.exe
dumphive.exe
dv95.exe
dv95_o.exe
dvp95.exe
dvp95_0.exe
earthagent.exe
ecengine.exe
ecls.exe
ecmd.exe
edi.exe
efinet32.exe
efpeadm.exe
egui.exe
EHttpSrv.exe
ekrn.exe
ent.exe
esafe.exe
escanh95.exe
escanhnt.exe
escanv95.exe
espwatch.exe
etrustcipe.exe
evpn.exe
ewido.exe
exantivirus-cnet.exe
exit.exe
expert.exe
explored.exe
fact.exe
f-agnt95.exe
fameh32.exe
fa-setup.exe
fast.exe
fch32.exe
fih32.exe
Filemon.exe
findviru.exe
firewall.exe
FirewallControlPanel.exe
FirewallSettings.exe
fix-it.exe
flowprotector.exe
fnrb32.exe
FPAVServer.exe
fprot.exe
f-prot.exe
fprot95.exe
f-prot95.exe
fp-win.exe
fp-win_trial.exe
frw.exe
fsaa.exe
fsav.exe
fsav32.exe
fsav530stbyb.exe
fsav530wtbyb.exe
fsav95.exe
fsave32.exe
fsgk32.exe
fslaunch.exe
fsm32.exe
fsma32.exe
fsmb32.exe
fssm32.exef-stopw.exe
fwenc.exe
fwinstall.exe
gbmenu.exe
gbpoll.exe
GenericRenosFix.exe
generics.exe
gibe.exe
GoogleToolbarInstaller_download_signed.exe
gpedit.exe
guard.exe
guarddog.exe
guardgui.exe
guardhlp.exe
hacktracersetup.exe
HelpPane.exe
hidec.exe
HiJackThis.exe
HJTInstall.exe
HostsChk.exe
htlog.exe
hwpe.exe
iamapp.exe
iamserv.exe
iamstats.exe
ibmasn.exe
ibmavsp.exe
icload95.exe
icloadnt.exe
icmon.exe
icmoon.exe
icssuppnt.exe
icsupp.exe
icsupp95.exe
icsuppnt.exe
IEDFix.exe
iface.exe
ifw2000.exe
iomon98.exe
iparmor.exe
iris.exe
isrv95.exe
jammer.exe
jed.exe
jedi.exe
kav8.0.0.357es.exe
kavlite40eng.exe
kavpers40eng.exe
kavsvc.exe
kerio-pf-213-en-win.exe
kerio-wrl-421-en-win.exe
kerio-wrp-421-en-win.exe
killprocesssetup161.exe
kis8.0.0.506latam.exe
kpf.exe
kpfw32.exe
ldnetmon.exe
ldpro.exe
ldpromenu.exe
ldscan.exe
licmgr.exe
localnet.exe
lockdown.exe
lockdown2000.exe
lookout.exe
lsetup.exe
luall.exe
luau.exe
lucomserver.exe
luinit.exe
luspt.exe
mbam.exe
mbamgui.exe
mbamservice.exe
mcadmin.exe
mcagent.exe
mcconsol.exe
mcmnhdlr.exe
mcshield.exe
mctool.exe
mcuimgr.exe
mcupdate.exe
mcvsrte.exe
mcvsshld.exe
mdll.exe
mfeann.exe
mfw2en.exe
mfweng3.02d30.exe
mgavrtcl.exe
mgavrte.exe
mghtml.exe
mgui.exe
minilog.exe
monitor.exe
monsys32.exe
monsysnt.exe
monwow.exe
moolive.exe
mpfagent.exe
mpfservice.exe
mpftray.exe
mrflux.exe
MSASCui.exe
msblast.exe
msconfig.exe
msinfo32.exe
msn.exe
mspatch.exe
mssmmc32.exe
mu0311ad.exe
mwatch.exe
mxtask.exe
n32scan.exe
n32scanw.exe
nai_vs_stat.exe
nav32_loader.exe
nav80try.exe
navap.exe
navapsvc.exe
navapw32.exe
navauto-protect.exe
navdx.exe
naveng.exe
navengnavex15.exe
navex15.exe
navlu32.exe
navnt.exe
navrunr.exe
navsched.exe
navstub.exe
navw.exe
navw32.exe
navwnt.exe
nc2000.exe
ncinst4.exe
nd98spst.exe
ndd32.exe
ndntspst.exe
neomonitor.exe
neowatchlog.exe
netarmor.exe
netcfg.exe
netinfo.exe
netmon.exe
netscanpro.exe
Netscape.exe
netspyhunter-1.2.exe
netstat.exe
netutils.exe
nisserv.exe
nisum.exe
nmain.exe
nod32.exe
normist.exe
norton_internet_secu_3.0_407.exe
notstart.exe
npf40_tw_98_nt_me_2k.exe
npfmessenger.exe
nprotect.exe
npscheck.exe
npssvc.exe
nsched32.exe
ntdetect.exe
ntrtscan.exe
ntxconfig.exe
nui.exe
nupdate.exe
nupgrade.exe
nvapsvc.exe
nvarch16.exe
nvc95.exe
nvlaunch.exe
nvsvc32.exe
nwinst4.exe
nwservice.exe
nwtool16.exe
offguard.exe
ogrc.exe
opera.exe
Opera_964_int_Setup.exe
ostronet.exe
outpost.exe
outpostinstall.exe
outpostproinstall.exe
padmin.exe
panixk.exe
pathping.exe
pavcl.exe
pavproxy.exe
pavsched.exe
pavw.exe
pcc2002s902.exe
pcc2k_76_1436.exe
pccclient.exe
pccguide.exe
pcciomon.exe
pccmain.exe
pccntmon.exe
pccpfw.exe
pccwin97.exe
pccwin98.exe
pcdsetup.exe
pcfwallicon.exe
pcip10117_0.exe
pcscan.exe
pcscanpdsetup.exe
penis32.exe
periscope.exe
persfw.exe
perswf.exe
pev.exe
pf2.exe
pfwadmin.exe
ping.exe
pingscan.exe
platin.exe
pop3trap.exe
poproxy.exe
popscan.exe
portdetective.exe
portmon.exe
portmonitor.exe
ppinupdt.exe
pptbc.exe
ppvstop.exe
prckiller.exe
Process.exe
processmonitor.exe
procexp.exe
procexplorerv1.0.exe
Procmon.exe
programauditor.exe
proport.exe
protectx.exe
pspf.exe
purge.exe
pview.exe
pview95.exe
qconsole.exe
qserver.exe
rapapp.exe
rav.exe
rav7.exe
rav7win.exe
rav8win32eng.exe
realmon.exe
regedit.exe
regedt32.exe
Regmon.exe
rescue.exe
rescue32.exe
Restart.exe
route.exe
routemon.exe
rrguard.exe
rshell.exe
rstrui.exe
rtvscn95.exe
rulaunch.exe
Safari.exe
safeweb.exe
SandboxieBITS.exe
SandboxieCrypto.exe
SandboxieDcomLaunch.exe
SandboxieRpcSs.exe
SandboxieWUAU.exe
SbieCtrl.exe
SbieSvc.exe
sbserv.exe
scan32.exe
scan95.exe
scanpm.exe
sched.exe
schedapp.exe
scrscan.exe
scvhosl.exe
sd.exe
sdclt.exe
serv95.exe
setup_flowprotector_us.exe
setupvameeval.exe
sgssfw32.exe
sh.exe
sharedaccess.exe
shellspyinstall.exe
shn.exe
shstat.exe
smc.exe
SmitfraudFix.exe
sofi.exe
spf.exe
sphinx.exe
spider.exe
spysweeper.exe
spyxx.exe
SrchSTS.exe
srwatch.exe
ss3edit.exe
st2.exe
supftrl.exe
supporter5.exe
sweep.exe
sweep95.exe
sweepnet.exe
sweepsrv.sys.exe
swnetsup.exe
swreg.exe
swsc.exe
swxcacls.exe
symproxysvc.exe
symtray.exe
sysdoc32.exe
syshelp.exe
taskkill.exe
tasklist.exe
taskmgr.exe
taskmon.exe
taumon.exe
tauscan.exe
tbscan.exe
tc.exe
tca.exe
tcm.exe
tcpsvs32.exe
tds2.exe
tds2-98.exe
tds2-nt.exe
tds-3.exe
tfak.exe
tfak5.exe
tftpd.exe
tgbob.exe
titanin.exe
titaninxp.exe
tmlisten.exe
tmntsrv.exe
tracerpt.exe
tracert.exe
trjscan.exe
trjsetup.exe
trojantrap3.exe
UCCLSID.exe
UI0Detect.exe
undoboot.exe
unzip.exe
update.exe
UserAccountControlSettings.exe
VACFix.exe
vbcmserv.exe
vbcons.exe
vbust.exe
vbwin9x.exe
vbwinntw.exe
vccmserv.exe
vcleaner.exe
vcontrol.exe
vcsetup.exe
vet32.exe
vet95.exe
vet98.exe
vettray.exe
vfsetup.exe
vir-help.exe
virusmdpersonalfirewall.exe
vmsrvc.exe
vnlan300.exe
vnpc3000.exe
vpc32.exe
vpc42.exe
vpcmap.exe
vpfw30s.exe
vptray.exe
vscan.exe
vscan40.exe
vscenu6.02d30.exe
vsched.exe
vsecomr.exe
vshwin32.exe
vsisetup.exe
vsmain.exe
vsmon.exe
vsscan40.exe
vsstat.exe
vswin9xe.exe
vswinntse.exe
vswinperse.exe
vvstat.exe
w32dsm89.exe
w9x.exe
watchdog.exe
webscan.exe
webscanx.exe
webtrap.exe
WerFault.exe
wfindv32.exe
wgfe95.exe
whoswatchingme.exe
wimmun32.exe
wingate.exe
winhlpp32.exe
wink.exe
winmgm32.exe
winppr32.exe
winrecon.exe
winroute.exe
winservices.exe
winsfcm.exe
wmias.exe
wmiav.exe
wnt.exe
wradmin.exe
wrctrl.exe
WS2Fix.exe
wsbgate.exe
wuauclt.exe
wyvernworksfirewall.exe
xpf202en.exe
xscan.exe
zapro.exe
zapsetup3001.exe
zatutor.exe
zatutorzauinst.exe
zauinst.exe
zlh.exe
zonalarm.exe
zonalm2601.exe
zonealarm.exe
The worm utilizes code injection in order to hinder detection and removal. When the copy runs, it may inject code into the system process "svchost.exe".
Spreads via€¦
Removable drives
Worm:Win32/Esfury.W may create the following files on targeted drives when spreading:
- <removable drive>:\subst.lnk- this is a shortcut link that points to the copy of the trojan
- <removable drive>:\<random folder name>\<random file name>.exe - this is a copy of the trojan
- <removable drive>:\<random folder name>\desktop.ini- this file makes the folder appear in Windows Explorer as a recycle bin
- <removable drive>:\<random folder name>\S-1-3-01-4631041401-305419896-464015834-1505\<random file name>.exe - this is a copy of the trojan
- <removable drive>:\<random folder name>\s-1-3-01-4631041401-305419896-464015834-1505\desktop.ini - this file makes the folder appear in Windows Explorer as a recycle bin.
The <random folder name> and <random file name> are each composed of a string of letters and numbers, for example "b00d68fe4b760f8bac2b52ea5eedbb035a93ffa7aa4f05ef013764a731180e9adecf2a0ca5125d604125489ba46451b01135" for the folder name, and "7B14DD0EBE0D10674792C2CF0492E50ED449328463ABC145AAF93063A55250DC1642B5D476B4C13E7C3C8537DBE705256027.exe" for the file name.
It also places an "autorun.inf" file in the root directory of the targeted removable drive. Such files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
It should be noted that "autorun.inf" files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.
All of these files and directories have their attributes set to "READ ONLY", "HIDDEN", and "SYSTEM".
Payload
Modifies Hosts file
Worm:Win32/Esfury.W modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. The malware modifies the file in order to redirect specified domains to different IP addresses.
For additional information on DNS, please see the Recovery section in this entry.
The worm hijacks websites and redirects your web browser to a different IP address of the worm's own choosing, if you attempt to access websites hosted by the following domains:
15660808.co.kr
45pounds.com
ahnlab.com
aladdin.com
alladdin.ru
anti-virus.by
antispam.sunbeltsoftware.com
antispyware.sunbeltsoftware.com
antivir.es
antivirus-tools.com
antivirus.hispavista.com
antivirus.sunbeltsoftware.com
antiy.net
anubis.iseclab.org
apac.trendmicro.com
archive.bitdefender.com
arwww.fortinet.cz
asap.authentium.com
au.mcafee.com
authentium.com
auwww.ealaddin.nl
avast.com
avg.com
avhide.com
avx.rob-have.net
b-have.orgbitdefender-ar.com
backup.comodo.com
baristamagazine.com
basetendencies.com
bcpzonasegura.viabcp.com
bestofewan.com
beta.anti-virus.by
bg.virusblokada.com
bhsbees.com
bitdefender.com
bitdefender.org
bitdefenderchina.com
bitdefenderguatemala.com
bitdefendermalaysia.com
bitdefendertaiwan.com
bitdefenderuruguay.com
bitdefenderusa.com
biz.nprotect.com
blitzblank.com
blog.titanium-jewelry.com
blog.trendmicro.com
blogs.protegerse.com
bobbondart.com
br.mcafee.com
br.trendmicro.com
brazil.kaspersky.com
bugs.clamav.net
buscafacil.com
buscalo.in
busco.in
buy.bitdefender-es.com
buy.bitdefender.com
buy.bitdefender.de
buy.drweb.com
ca.com
cacomvip.ca.com
cai.com
canada.karuna-shechen.org
ccslaughterspdx.com
cgi.clamav.net
channelpartner.trendmicro.com
chickensroamfree.com
chollian.nprotect.co.kr
clamav.net
cloudprotection.pandasecurity.com
cn.mcafee.com
cn.sophos.com
cohartuk.com
comodo.com
company.drweb.com
company.hauri.co.kr
company.hauri.net
computing.net
configurarequipos.com
cou85.com
cowsmo.com
cureit.ru
customers.drweb.com
cutlines.org
cybercrime.pandasecurity.com
daniloff.net
de.bitdefender.com
de.mcafee.com
de.trendmicro.com
defalcos.com
definitions.symantec.com
dell.symantec.com
demos.eset.es
descargas.eset.es
dev.depeuter.org
developmentdrums.org
disk-encryption.comodo.com
download1.emsisoft.com
download4.emsisoft.com
download5.emsisoft.com
download535.avast.com
drweb-inside.com
drweb.com
drweb.net
drwebinside.com
ealaddin.net
ealaddin.orgeshop.aladdin.com
easy-vpn.comodo.com
edm.symantec.com
education.symantec.com
elblogdemanu.com
emea.trendmicro.com
emsisoft.com
encarta.msn.com
enterprisesecur.symantec.com
eos.eset.es
es.answers.yahoo.com
es.kioskea.net
es.trendmicro.com
esecurity.livecall.co.kr
eset.es
esp.sophos.com
esupport.trendmicro.com
et.symantec.com
etrr.co.uk
eugrantsadvisor.cz
eugrantsadvisor.de
eval.symantec.com
exchangeyourcareer.net
f-prot.com
f-secure.com
f-secure.frf-secure.hk
f-secure.nlfsecure.com
feeds.sophos.com
feeds.trendmicro.com
files.avast.com
firewall.sunbeltsoftware.com
forospyware.com
fortihero.com
fortilog.com
fortinet.co.at
fortinet.com
fortiprotect.com
fortiwifi.com
forum.emsisoft.com
forum.kaspersky.com
fr.bitdefender.com
fr.mcafee.com
fr.trendmicro.com
free.drweb.com
free.pandasecurity.com
free.prevx.com
frisk-software.com
fsc.norman.com
fsecure.nlwebyard.com
futurenow.bitdefender.com
gdata.es
global.ahnlab.com
global.jiangmin.com
global.nprotect.com
go.mcafee.com
go.sunbeltsoftware.com
go.symantec.com
go.trendmicro.com
grisoft.com
grv.microsoft.com
hacksoft.com.pe
hacksoft.pe
halmapr.com
hauri.co.kr
hauri.net
haurijapan.com
hishomeforchildren.com
home.mcafee.com
hostedmailsecur.symantec.com
hotmail.com
housecall.trendmicro.com
housecall60.trendmicro.com
housecall65.trendmicro.com
howsafeismypc.com
i-vault.comodo.com
ibusca.me
idauthority.com
ikarus.at
images.kaspersky.com
in.answers.yahoo.com
info.drweb.com
info.prevx.com
inicioid.com
iniciorapido.info
internetsecurity.comodo.com
intranet.cidiroax.ipn.mx
investor.symantec.com
iseclab.org
isotopecomics.com
it.bitdefender.com
it.mcafee.com
it.trendmicro.com
itw.trendmicro.com
ixomodels.com
ixostore.ixomodels.com
jiangmin.com
jiangmin.com.cn
jobs.bitdefender.com
jotti.org
jp.mcafee.com
jp.trendmicro.com
karuna-shechen.org
kaspersky.com
kb.bitdefender.com
kb.bitdefender.de
kb.bitdefender.us
kimzimmer.net
kioskea.net
kr.sophos.com
la.trendmicro.com
latam.kaspersky.com
latin.bitdefender.com
license.drweb.com
linux.bitdefender.com
lists.clamav.net
live.sunbeltsoftware.com
liveprotect.net
liveupdate.symantec.com
lurker.clamav.net
mall.hauri.co.kr
malwarecity.com
malwarecity.netmalwarecity.org
malwarepedia.com
malwarescan.emsisoft.com
malwarescan.emsisoft.de
malwarescan.emsisoft.es
mamutu.com
marian.symantec.com
mcafee.com
mcafeeb2b.com
mcafeeretail.com
me.kaspersky.com
microsoft.com
midescargas.com
mop.pandasecurity.com
msr.mcafee.com
mx.mcafee.com
my.drweb.com
mygeekside.com
nai.com
natsko.com
naturesimages.net
network.drweb.com
networkassociates.com
networkassociates.nai.com
neunet.orgnews.bitdefender.com
new-beta.drweb.com
new-company.drweb.com
new-estore.drweb.com
new-forum.drweb.com
new-partners.drweb.com
new-solutions.drweb.com
new-support.drweb.com
new-www.drweb.com
news.drweb.com
newsletters.trendmicro.com
nl.bitdefender.com
norman.com
novirusthanks.org
nprobeta.norman.com
nprotect.com
nprotect.net
nprotect.seoul.go.kr
obscgi.mcafee.com
oem.sunbeltsoftware.com
online-backup.comodo.com
onlinecheck.emsisoft.com
onlinecheck.emsisoft.de
onlinecheck.emsisoft.net
onlinecheck.emsisoft.org
pandalabs.pandasecurity.com
pandasecurity.com
pctools.com
pda.drweb.com
pedidos.protegerse.com
pg.hauri.net
pineleafboys.com
podcasts.sophos.com
prevx.com
privacy.microsoft.com
products.drweb.com
promotions.drweb.com
pvtc.org
qqjkw.net
quickheal.com
reg-int.nod32-es.com
reg.eset.es
register.norman.com
removetrojanvirus.org
renewals.bitdefender.com
research.microsoft.com
research.pandasecurity.com
ribbonwarehouse.com
rising-global.com
rover800.gaima.co.uk
roysephotos.com
ru.trendmicro.com
ruben.bzin.net
sales.bitdefender.com
sandbox.norman.com
sarahmcconnellphotography.net
saverssite.com
scan.anti-trojan.net
scan4you.net
scanner.novirusthanks.org
scanner.virus.org
scanner2.novirusthanks.or
schemas.microsoft.com
schemas.xmlsoap.org
sea.symantec.com
search.ca.com
search.symantec.com
seasonsecurity.com
secure-email.comodo.com
secure.av-desk.com
secureme.com
security.symantec.com
securitycheck.symantec.com
securityrespons.symantec.com
service.mcafee.com
service1.symantec.com
servicenews.symantec.com
sfdoccentral.symantec.com
shield.prevx.com
shop.hauri.co.kr
shop.pandasecurity.com
shop.sunbeltsoftware.com
shop.trendmicro.com
siren24.nprotect.com
sitedirector.symantec.com
smallbiz.symantec.com
smbstore.trendmicro.com
softfaq.com
solutions.drweb.com
sophos.com
soporte.pandasecurity.com
specs.xmlsoap.org
speedtest.comodo.com
spycheck.co.uk
spycheck.es
spywaredlls.prevx.com
spywarefiles.prevx.com
square.bitdefender.com
static.yoreparo.com
store.bitdefender.com
store.de.bitdefender.com
store.drweb.com
store.trendmicro.com
subwiz.trendmicro.com
sun.symantec.com
sunbeltsoftware.com
superboy2010.com.au
support.drweb.com
support.kaspersky.co
support.mcafee.com
support.pandasecurity.com
support.rising-global.com
symantec.com
system-cleaner.comodo.com
tecniservicioslys.com
tempuri.org
threatexpert.com
threatinfo.trendmicro.com
timeforyourbusi.pandasecurity.com
timestamp.comodoca.com
timestamp.wosign.com
tms.symantec.com
together.pctools.com
tr.mcafee.com
trackingtheworld.com
training.drweb.com
training.trendmicro.com
trendmicro.com
trial.trendmicro.com
tw.mcafee.com
tw.sophos.com
tw.trendmicro.com
uk.mcafee.com
uk.trendmicro.com
updates.drweb.com
us.bitdefender.com
us.mcafee.com
us.trendmicro.com
usa.kaspersky.com
ushousecall02.trendmicro.com
viabcp.com
vicentevirtual.com
virobot.co.kr
virscan.org
virus.org
virusbuster.hu
viruschief.com
virusfreezone.info
virusscan.jotti.org
virusscanonline.net
virustotal.com
visualtracking.symantec.com
vivo-austin.com
vms.drweb.com
vos.symantec.com
webadmin.norman.no
wedoantivirus.com
welkam.co.jp
woottonfootball.com
wtc.trendmicro.com
ww.emsisoft.com
ww2.viabcp.com
www.1stavenuelimousines.co.uk
www.2xlgames.com
www.ahnlab.com
www.aks.com
www.aladdin.com
www.anti-trojan-software.net
www.anti-trojan.net
www.anti-virus.by
www.antivir.es
www.antivirus-tools.com
www.antiy.net
www.apsecure.com
www.arpia.be
www.authentium.com
www.authentium.com.au
www.av-desk.com
www.avast.com
www.avg.com
www.avhide.com
www.avoncourt.com
www.avx.ro
www.barder.com
www.beautybar.com
www.bg.virusblokada.com
www.bit-defender.de
www.bitdefende.de
www.bitdefender-es.com
www.bitdefender.be
www.bitdefender.cl
www.bitdefender.co.uk
www.bitdefender.com
www.bitdefender.com.au
www.bitdefender.com.sg
www.bitdefender.com.tw
www.bitdefender.com.vn
www.bitdefender.de
www.bitdefender.es
www.bitdefender.fr
www.bitdefender.hk
www.bitdefender.us
www.bitdefenderme.com
www.briarhurst.com
www.brightoctober.com
www.buraka.tv
www.buscafacil.com
www.buscalo.in
www.busco.in
www.ca.com
www.cambridge-steiner-school.co.uk
www.ccssforum.org
www.celticmerchant.com
www.clamav.net
www.collectedcurios.com
www.comodo.com
www.comodo.tv
www.comodoantispam.com
www.comodopartners.com
www.computing.net
www.configurarequipos.com
www.contentverification.com
www.deborahshelton.net
www.dr-bull.com
www.drweb.com
www.ealaddin.com
www.elvis-express.com
www.emeraldclassic.co.uk
www.emsisoft.at
www.emsisoft.com
www.emsisoft.de
www.emsisoft.es
www.emsisoft.fr
www.emsisoft.it
www.emsisoft.jp
www.emsisoft.net
www.emsisoft.nl
www.emsisoft.org
www.engyro.com
www.entercept.com
www.esafe.com
www.eset.es
www.eugrantsadvisor.com
www.eugrantsadvisor.de
www.eugrantsadvisor.ie
www.eugrantsadvisor.se
www.exchangeyourcareer.com
www.f-prot.com
www.f-secure.com
www.fimasys.com
www.flairweddings.co.uk
www.forospyware.com
www.fortifed.com
www.fortiid.com
www.fortimail.com
www.fortinet-apac.com
www.fortinet.ch
www.fortinet.co.il
www.fortinet.com
www.fortinet.net
www.fortinet.nl
www.fortinet.sg
www.fortinetuk.com
www.freeality.com
www.freedrweb.ru
www.freerav.com
www.frisk-software.com
www.frisk.is
www.fsecure.com
www.garryowen.com
www.gdata.es
www.globalhauri.com
www.gokidding.com
www.grisoft.com
www.hackshields.com
www.hacksoft.com.pe
www.hacksoft.pe
www.handwritingforkids.com
www.hasp.se
www.hauri.co.kr
www.hauri.net
www.hotmail.com
www.hxproduction.com
www.ibusca.me
www.ikarus.at
www.imddomains.co.uk
www.indielisboa.com
www.inicioid.com
www.iniciorapido.info
www.internationalservicecheck.com
www.irangoals.com
www.iseclab.org
www.ixomodels.com
www.jiangmin.com
www.jiangmin.com.cn
www.jotti.org
www.kaspersky.com
www.kioskea.net
www.latin-mass-society.org
www.livepcsupport.com
www.malwarecity.com
www.malwarecity.fr
www.mamutu.com
www.mamutu.de
www.manchester-offices.co.uk
www.mcafee.at
www.mcafee.com
www.microsoft.com
www.midescargas.com
www.mountainlakeslodge.com
www.mtr-design.com
www.mygeekside.com
www.netegrity.com
www.norman.com
www.nottinghampoetryseries.com
www.novirusthanks.org
www.npin.co.kr
www.nprotect.co.kr
www.nprotect.com
www.nprotect.com.br
www.nsclean.com
www.owen.org
www.pandasecurity.com
www.pctools.com
www.peterhearnwaste.co.uk
www.phoenixtrikeworks.com
www.prdouglas.co.uk
www.prevx.com
www.prevx1.com
www.professorbeyer.com
www.quickheal.com
www.removetrojanvirus.org
www.renningers.com
www.residentphotography.com
www.retento.com
www.reviewsofbooks.com
www.rising-global.com
www.risingav.com.au
www.safenet-inc.com
www.scan4you.net
www.seasonsecurity.com
www.secondchanceboxer.com
www.secure-elements.com
www.sheffieldmind.co.uk
www.smf.org
www.softfaq.com
www.sophos.com
www.spycheck.co.uk
www.spycheck.es
www.stadiumpage.com
www.sunbeltsoftware.com
www.symantec.com
www.sysinternals.com
www.tecniservicioslys.com
www.testmypcsecurity.com
www.threatexpert.com
www.tomorrowsedge.net
www.trendmicro.com
www.trojaner.info
www.trustix.com
www.trustlogo.com
www.vba.com.by
www.viabcp.com
www.virscan.org
www.virus.fi
www.virus.org
www.virusbuster.hu
www.viruschief.com
www.virusfreezone.info
www.virustotal.com
www.wellgousa.com
www.whichssl.com
www.willsee.com
www.xmlsoap.org
www.zarya.info
www3.safenet-inc.com
www4.symantec.com
wwws.clamav.net
ztl.comodo.com
Terminates processes
The malware terminates the following processes, which may be related to antimalware software, if they are running on your computer:
- _avpm.exe
- antivirus.exe
- aupdate.exe
- avgw.exe
- avp.exe
- avp32.exe
- avpcc.exe
- blackice.exe
- cmd.exe
- drweb32.exe
- egui.exe
- ekrn.exe
- fsav.exe
- navw32.exe
- nod32.exe
- persfw.exe
- rav.exe
- scan32.exe
- wuauclt.exe
- zonealarm.exe
Modifies system security settings
The malware adds itself to the list of applications that are authorized to access the Internet without being stopped by the firewall, by making the following registry modifications:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%USERPROFILE%\winlogon.exe"
With data: "%USERPROFILE%\27f6471627473796e696d64614\winlogon.exe:*:enabled:@xpsp2res.dll,-70554750"
In subkey: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%USERPROFILE%\27F6471627473796E696D64614\winlogon.exe"
With data: "%USERPROFILE%\27f6471627473796e696d64614\winlogon.exe:*:enabled:@xpsp2res.dll,-53342401"
In subkey: HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%USERPROFILE%\27F6471627473796E696D64614\winlogon.exe"
With data: "%USERPROFILE%\27f6471627473796e696d64614\winlogon.exe:*:enabled:@xpsp2res.dll,-57951861"
In subkey: HKLM\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%USERPROFILE%\27F6471627473796E696D64614\winlogon.exe"
With data: "%USERPROFILE%\27f6471627473796e696d64614\winlogon.exe:*:enabled:@xpsp2res.dll,-28956246"
Modifies system settings
The malware modifies your computer's system settings by making a number of registry modifications.
It disables System Restore:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "DisableSR"
With data: "1"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\sr
Sets value: "Start"
With data: "4"
It disables the use of registry editors:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "0"
It prevents the display of files that have "SYSTEM" and "HIDDEN" attributes:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
It disables the command prompt:
In subkey: HKCU\Software\Policies\Microsoft\Windows\System
Sets value: "DisableCMD"
With data: "0"
It removes the Run item from the Start menu:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoRun"
With data: "0"
It removes the Folder Options item from all Windows Explorer menus and the Control Panel:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoFolderOptions"
With data: "0"
Note: Removing access to these options may hinder your ability to detect and remove malware.
It changes the number of programs shown in Task Manager:
In subkey: HKCU\SessionInformation
Sets value: "ProgramCount"
With data: "4"
Modifies Internet browser settings
The malware modifies your computer's default Internet browser and Internet Explorer settings by making a number of registry modifications.
It lowers your Internet security settings:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Disable Script Debugger"
With data: "yes"
In subkey: HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings
Sets value: "Enabled"
With data: "0"
In subkey: HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings
Sets value: "Enabled"
With data: "0"
It sets the start page for Internet Explorer:
In subkey: HKLM\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://******.directorio-w.com"
In subkey: HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
Sets value: "HomePage"
With data: "1"
It sets Internet Explorer as the default browser for HTM files and HTTP, HTTPS, and FTP connections:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
Sets value: "Progid"
With data: "ie.assocfile.htm"
In subkey: HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
Sets value: "Progid"
With data: "ie.http"
In subkey: HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
Sets value: "Progid"
With data: "ie.https"
In subkey: HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice
Sets value: "Progid"
With data: "ie.ftp"
In subkey: HKLM\SOFTWARE\Classes\http\shell\open\command
Sets value: "<default>"
With data: "%ProgramFiles%\internet explorer\iexplore.exe"
Note: %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Program Files".
In subkey: HKLM\SOFTWARE\Classes\http\shell\open\ddeexec\Application
Sets value: "<default>"
With data: "%ProgramFiles%\internet explorer\iexplore.exe"
In subkey: HKLM\SOFTWARE\Classes\https\shell\open\command
Sets value: "<default>"
With data: "%ProgramFiles%\internet explorer\iexplore.exe"
In subkey: HKLM\SOFTWARE\Classes\https\shell\open\ddeexec\Application
Sets value: "<default>"
With data:"%ProgramFiles%\internet explorer\iexplore.exe"
In subkey: HKLM\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application
Sets value: "<default>"
With data: "%ProgramFiles%\internet explorer\iexplore.exe"
In subkey: HKLM\SOFTWARE\Classes\ftp\shell\open\command
Sets value: "<default>"
With data: "%ProgramFiles%\internet explorer\iexplore.exe"
Contacts remote hosts Worm:Win32/Esfury.W may contact the following remote hosts:
- hxxp://c.statcounter.com/
- hxxp://whos.amung.us
- hxxp://www.directorio****.com
- hxxp://www.qseach.com
Commonly, malware may contact a remote host for the following purposes:
- To confirm Internet connectivity
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
Additional information
Worm:Win32/Esfury.W creates a mutex named "Global\WindowsUpdateTracingMutex" to ensure that only instance of the worm is running at a time.
Related encyclopedia entries
Worm: Win32/Esfury
Analysis by Rex Plantado
Last update 21 August 2012
