Home / malwarePDF  

Virus:Win32/Drowor.B


First posted on 14 February 2013.
Source: Microsoft

Aliases :

Virus:Win32/Drowor.B is also known as Win32/Trafrox (AhnLab), W32/Seriv.A (Command), Worm.Win32.Trafaret.a (Kaspersky), W32/Troxa.A (Norman), W32/Troxa.A (Avira), Win32.Kunkka.A (BitDefender), Win32.Fortax (Dr.Web), Win32/Troxa.B virus (ESET), IM-Worm.Win32.Sohanad (Ikarus), W32/Cekar (McAfee), Win32.Drowor.A (Rising AV), W32/Drowor-A (Sophos), W32.Drowor.B!inf (Symantec), PE_DROWOR.A (Trend Micro).

Explanation :



Installation

Virus:Win32/Drowor.B creates a folder with a random hex number as a name in the Windows system folder. It drops a copy of itself as "services.exe" in this folder.

To make sure it automatically runs every time Windows starts, it creates the following registry entry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "services"
With data: "<system folder>\<random hex number>\services.exe"

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and W8 it is "C:\Windows\System32".

Spreads via...

Infecting files

Virus:Win32/Drowor.B infects all EXE and SCR files in your computer, including removable drives, unless:

The file has any of these extensions:

  • .doc
  • .eml
  • .htm
  • .html
  • .shtml
  • .txt
  • .wab


Or the file contains any of these strings:

  • _un
  • dele
  • inst
  • master
  • pas
  • setup
  • sfx
  • unin
  • vise
  • wise


Virus:Win32/Drowor.B infects one file every 666 seconds.



Payload

Stops security processes from running

Virus:Win32/Drowor.B stops processes from running, if they start with any of the following strings; these files are usually associated with security software:

  • anti
  • apvxdwin
  • avengine
  • avg
  • avlite
  • AVSYNMGR
  • avup
  • AVWUPD32
  • AVXQUAR
  • ccapp
  • cclaw
  • center
  • debug
  • firewa
  • fix
  • griso
  • guard
  • hacker
  • hex
  • hijack
  • iknow
  • kick
  • LordPE
  • navw32
  • pavprsrv
  • pavsrv51
  • procexp
  • scan
  • secure
  • security
  • sysinter


Virus:Win32/Drowor.B then overwrites part of the file with the following:

".This file was hacked by: tr4f0x.A - IVS - Indonesian Virus Society."

As a result, the security software needs to be reinstalled.

Downloads arbitrary files

Virus:Win32/Drowor.B may download files from these servers:

  • indonesianvxzone.cjb.net
  • vaksin.cjb.net
  • 34refds.cjb.net
  • 43ti45s.cjb.net


These files may be other malware, or updated versions of itself.

Additional information

Virus:Win32/Drowor.B checks that only one instance of itself is running by looking for the mutex "[w32.trafox.A]".



Analysis by Sergey Chernyshev

Last update 14 February 2013

 

TOP

Malware :

Family: