Home / malwarePDF  

Worm:Win32/Dogkild.C


First posted on 16 February 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Dogkild.C is also known as TR/Crypt.XPACK.Gen (Avira), Trojan.Downloader.Agent.AAWS (BitDefender), Trojan.KillProc.1565 (Dr.Web), Win32/AutoRun.KillAV.E (ESET), Worm.Win32.AutoRun.bbjs (Kaspersky), W32/Autorun.worm.c (McAfee), W32/Autorun.JSB (Panda), Worm.Win32.AutoRun.tqi (Rising AV), Troj/KillB-Gen (Sophos), Trojan.Killav (Symantec), WORM_AUTORUN.JSE (Trend Micro), Worm.AutoRun.AHNZ (VirusBuster).

Explanation :

Worm:Win32/Dogkild.C is a worm that that spreads via removable drives. It downloads and executes arbitrary files from a remote host. It has been designed to deliberately compromise particular System Restore hardware and software.
Top

Worm:Win32/Dogkild.C is a worm that that spreads via removable drives. It downloads and executes arbitrary files from a remote host. It has been designed to deliberately compromise particular System Restore hardware and software. InstallationWorm:Win32/Dogkild.C may consist of several components. When executed, it may drop the following files:

  • c:\dianlw.dll (detected as TrojanDownloader:Win32/Kilfno.C)
  • %temp%\dll<random>.tmp (detected as Worm:Win32/Dogkild.C)
  • %windir%\fonts\cauin.sys (detected as TrojanDownloader:Win32/Perkesh.gen!A)
    • Spreads via€¦ Removable drives Worm:Win32/Dogkild.C spreads via removable drives. The worm copies itself as "zxo.pif" to the root of all accessible removable drives. The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically. Payload Downloads and executes arbitrary filesWorm:Win32/Dogkild.C contacts remote hosts in order to download and execute files of the attacker's choice on the affected machine. Compromises system restore Win32/Dogkild may overwrite particular system files, thus bypassing the protection offered by System Restore hardware and software as the integrity of restore settings may be lost. The overwritten file may be "<system folder>\drivers\linkinfo.dll". Terminates processesWorm:Win32/Dogkild.C attempts to terminate the following processes that are related to security software:
  • ekrn.exe
  • egui.exe
  • nod32krn.exe
  • nod32kui.exe
  • RavMonD.exe
    • Lowers system securityWorm:Win32/Dogkild.C attempts to disable the following antivirus-related services:
  • ekrn
  • nod32krn
  • avp
    • Hinder Antivirus softwareWin32/Dogkild may hide the alert windows from the following antivirus-related processes:
  • avp.exe
  • egui.exe
  • 360sd.exe
  • 360rp.exe
  • Rstray.exe
  • RavMond.exe
  • Kavstart.exe
  • RavMond.exe
  • 360rp.exe


    • Analysis by Chun Feng

    Last update 16 February 2010

     

    TOP

    Malware :

    Family: