January 19, 2011


This is a worm that spreads Propagates via network shares, instant messaging applications,  via removable drives and copies itself in all available physical drives. This worm may be downloaded from remote sites by other malware and It drops copies of itself and sets the attributes of its dropped files to hidden and read-only.  It may be downloaded unknowingly by a user when visiting malicious Websites and that also spreads via removable drives.

It has many effects :

  • It creates registry entries to enable its automatic execution at every system start up HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Yahoo Messengger = "{install path}\gphone.exe" 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    • Shell = "Explorer.exe gphone.exe"
  • It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy %Windows%\Tasks\At{job number}.job - every day 9:00 AM
  • It modifies registry entries to hide files with both System and Read-only attributes
                   NofolderOptions = "1"  (default value being blank)         HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
                   DisableRegistryTools = "1"
  • It creates registry key(s)/entry(ies) as part of its installation routine HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
              shared = "\New Folder.exe"   
                    AtTaskMaxHours = "0" .

  • It deletes registry keys/entries
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IEProtection = ""
    BkavFw = "" 

  • It sends messages that contain a link pointing to a remote copy of itself, using certain instant messaging applications.
  • It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed. The said .INF file contains certain strings: 
  1. It drops files with the name gphone.exe in C:\windows\system32 in XP, C:\users\desktop and in temp in Vista as well as windows 7.
  2. It terminates certain processes, if found running in memory
  3. It modifies the Internet Explorer home page to point to a certain Web site. It modifies the Internet Explorer search page to point to a certain Web site.
When it spreads through instant message applications it will have following text after checking if the user's PC has Yahoo messenger or not, if it does not have it will download the file from legitimate Yahoo site: 

  • Now search your google in a HYBRID\DYNAMIC way
  • Hey what are you doing Please test my new webcam using private application
  • The wisest mind has something yet to learn
  • Hey Please help me to test my new cam application
  • ok thats fine
  • Waiting for you, view my private cam via secured connection

This worm terminates the following process(es), if found running in memory:
  • Bkav2006
  • cmd.exe
  • game_y.exe
  • Registry
  • System Configuration
  • Windows Task 


Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog



There was an error in this gadget
Twitter Delicious Facebook Digg Stumbleupon Favorites More