Home / malware

PDF

Win32.Worm.Winko.I

First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Worm.Winko.I.

Explanation :

The filename of the malware will pe considered to be <PseudoRandomName>.

The malware is made from two parts, each one with its one purpose depending on the location where the malware runs. The first part, the one that runs when the malware is injected in winlogon.exe, is the protection one. On every three seconds it adds the dll to the registry so it can start on every windows startup. It creates the keys



HKLMSYSTEMCurrentControlSetServices<PseudoRandomName>



and the values

HKLMSYSTEMCurrentControlSetServices<PseudoRandomName>

Type = 0x00000010Start = 0x00000002ErrorControl = 0x00000001ImagePath = "%System%<PseudoRandomName>..EXE -k"DisplayName = "<PseudoRandomName2>"ObjectName = "LocalSystem"Description = "<PseudoRandomName>"

HKCUSYSTEMCurrentControlSetServices<PseudoRandomName>



and the values

HKCUSYSTEMCurrentControlSetServices<PseudoRandomName>

Type = 0x00000010Start = 0x00000002ErrorControl = 0x00000001ImagePath = "%System%<PseudoRandomName>.EXE -k"DisplayName = "<PseudoRandomNam2e>"ObjectName = "LocalSystem"Description = "<PseudoRandomName>"



It also disables Error Reporting by deleting all registry keys and values from HKLMSystemCurrentControlSetServicesErsvc

It copies itself c:auto.exe and creates a file autorun.inf in which it writes

[AutoRun]

open = auto.exe

ShellExecute = auto.exe

shellAutocommand = auto. exe

This will start the malware every time the c: drive is opened in explorer.exe. Another role for the winlogon part is to download and install updates. The malware tries to download a file names update.txt fom wget http://33.xinga[hidden].cn/soft//update.txt. This is an ini file which contains lots of informations needed for the update of the malware like the new version of the malware, the url where the new version is located, the url for the startpage,an url that will be used to count how many times the update has been accessed by the infected computer, a value that will tell the program after how many minutes the install of the update should begin,



The last thing that this part of the malware does is to injects itself into all running processes.



The second part runs from explorer.exe.

The first thread from this part is uded to access alexa website. The results are sent as they were sent by alexa toolbar v7.2.

The second thread is used to open an internet explorer window to a link read by the malware from the downloaded file.

The third thread download and executes files from http://211.100.[hidden].4/

Last update 21 November 2011

 

TOP