Home / malwarePDF  

Worm:ALisp/Kenilfe.D


First posted on 08 June 2019.
Source: Microsoft

Aliases :

There are no other names known for Worm:ALisp/Kenilfe.D.

Explanation :

Worm:ALisp/Kenilfe.D is a detection for a worm written in Autocad Lisp, which is distributed as a Autocad FAS file, 21,513 bytes in size.

Installation

When run, the worm makes a copy of itself in the following location:

acad.fas

where is the installation location for Autocad.

xtautoz.shx

where is the fonts location for Autocad.

The worm also stores configuration information in the following registry location:

HKCUSoftwareFileKensettings Spreads via...

Remote shares

The worm searches for Autocad installations and copies itself to the install locations which may be local or remote.

Removable drives

The worm enumerates all drives, checking for removable drives. If found, the worm checks for Autocad related files. If found, it then copies itself to the same location as the Autocad file, as acad.fas, and creates an infection marker file on the root drive named pagefile, to prevent duplicate copies of the worm file being created.

Payload

Downloads and executes arbitrary files

The worm runs the ping command on the following host:

rmytwsjxx.2288.org

Then, depending on the IP address returned, it can download and execute a different file from the following domain:

cadgs.com

The worm can also download and execute other Autocad FAS files from the following domain:

fwwdym.2288.org

Steals sensitive information

The worm copies files to the following directory:

C:Bakdirectory

The worm then uploads those files to the following remote host using the File Transfer Protocol (FTP):

fwwdym.2288.org

Deletes files

The worm checks for the following files, and if found, deletes them:

acad.fas isomianyi.shx acad.fas1 lcm.fas isohztxt.shx arxfucker.dll acad.sys acadsmu.fas acadapq.lsp acadappp.lsp acadapp.lsp dwgrun.bat winfas.ini acadiso.lsp

Modifies files

The worm modifies the following file:

acad.mnl

By appending a script to the above file, which will replace the file "acad.fas" with a copy of "txtautoz.shx".

Modifies system settings

The worm may change the following registry entries to enable execution of scripts:

HKLMSOFTWAREMicrosoftWindows Script HostSettingsEnabled HKCUSOFTWAREMicrosoftWindows Script HostSettingsEnabled

 

Analysis by Ray Roberts

Last update 08 June 2019

 

TOP