Home / malware Virus:Win32/Drowor.B
First posted on 14 February 2013.
Source: MicrosoftAliases :
Virus:Win32/Drowor.B is also known as Win32/Trafrox (AhnLab), W32/Seriv.A (Command), Worm.Win32.Trafaret.a (Kaspersky), W32/Troxa.A (Norman), W32/Troxa.A (Avira), Win32.Kunkka.A (BitDefender), Win32.Fortax (Dr.Web), Win32/Troxa.B virus (ESET), IM-Worm.Win32.Sohanad (Ikarus), W32/Cekar (McAfee), Win32.Drowor.A (Rising AV), W32/Drowor-A (Sophos), W32.Drowor.B!inf (Symantec), PE_DROWOR.A (Trend Micro).
Explanation :
Installation
Virus:Win32/Drowor.B creates a folder with a random hex number as a name in the Windows system folder. It drops a copy of itself as "services.exe" in this folder.
To make sure it automatically runs every time Windows starts, it creates the following registry entry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "services"
With data: "<system folder>\<random hex number>\services.exe"
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and W8 it is "C:\Windows\System32".
Spreads via...
Infecting files
Virus:Win32/Drowor.B infects all EXE and SCR files in your computer, including removable drives, unless:
The file has any of these extensions:
- .doc
- .eml
- .htm
- .html
- .shtml
- .txt
- .wab
Or the file contains any of these strings:
- _un
- dele
- inst
- master
- pas
- setup
- sfx
- unin
- vise
- wise
Virus:Win32/Drowor.B infects one file every 666 seconds.
Payload
Stops security processes from running
Virus:Win32/Drowor.B stops processes from running, if they start with any of the following strings; these files are usually associated with security software:
- anti
- apvxdwin
- avengine
- avg
- avlite
- AVSYNMGR
- avup
- AVWUPD32
- AVXQUAR
- ccapp
- cclaw
- center
- debug
- firewa
- fix
- griso
- guard
- hacker
- hex
- hijack
- iknow
- kick
- LordPE
- navw32
- pavprsrv
- pavsrv51
- procexp
- scan
- secure
- security
- sysinter
Virus:Win32/Drowor.B then overwrites part of the file with the following:
".This file was hacked by: tr4f0x.A - IVS - Indonesian Virus Society."
As a result, the security software needs to be reinstalled.
Downloads arbitrary files
Virus:Win32/Drowor.B may download files from these servers:
- indonesianvxzone.cjb.net
- vaksin.cjb.net
- 34refds.cjb.net
- 43ti45s.cjb.net
These files may be other malware, or updated versions of itself.
Additional information
Virus:Win32/Drowor.B checks that only one instance of itself is running by looking for the mutex "[w32.trafox.A]".
Analysis by Sergey Chernyshev
Last update 14 February 2013