| The Ardurk.A@mm is a mass-mailing worm, with additional spreading methods. Apparently written in assembly language, it has
the size of 13.312 bytes. The first thing the worm does, is to decrypt its body which is encrypted with a simple XOR
encryption. It scans the memory for the API functions needed along with mapping the relevant DLL files to memory.
The worm retreives the NetBIOS name of the infected computer, as well as obtaining the address of the SMTP server used by
the infected computer, by applying a common technique involving the lookup of a subkey, contained within the following
registry key:
"Software\Microsoft\Internet Account Manager\Accounts".
The worm retreives the system directory of the infected computer, and copies the original worm file there under the same
name. This copy is registered as a service on the infected system and later executed leaving it running in memory.
With the creation of service several registry keys are affected some of which are displayed below:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_(original_name_of_virus.extension)]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_(original_name_of_virus.extension)\0000]
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"ConfigFlags"=dword:00000000
"DeviceDesc"="(original_name_of_virus.extension)"
"Legacy"=dword:00000001
"Service"="(original_name_of_virus.extension)"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\(original_name_of_virus.extension)]
"DisplayName"="(original_name_of_virus.extension)"
"ErrorControl"=dword:00000000
"ImagePath"=(Path to virus in hex format)
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000110
After comparing the command line parameters to a string contained within the worms body, the worm displays a fake error
message with the following format:
Caption:
"Error System Seting"
Text:
"The object can't accept the call because its initialize function or equivalent has not be called."
After that the original copy terminates, leaving the copy running as a service in memory. The main routines of the worm come
into action when it has been successfully installed on the system.
After the initial installation, with the worm now running as a service it starts to performing its main routines. The first
thing is to register an EXE class object with OLE, which are later referenced when the worm infects .HTM files. A new class
object is registered for each HTM file the worm infects. The worm searches each drive and any subfolders for files with an .HTM extension. When such a file is located, the worm creates another copy of itself under a random name and registers a object class for that copy by creating a registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{Worm_generated_class_ID}]
Value="path_to_file\random_file_name.exe"
The .HTM file is infected by adding the following tag, at the top of the file:
<OBJECT type="application/x-oleobject"CLASSID="CLSID:Worm_generated_class_ID"></OBJECT>
As well as infecting .HTM files, the worm will harvest e-mail addresses from those files in order to send out infected e-mails later on.
To worm creates a run-key in the registry, to ensure further that its executed each time the machine is rebooted:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Namesd"="path_to_virus\virus_name.extension"
The worm shares all drive it finds on the infected machine, with a default "null session access", which means that all the
drives on an infected machine are open for anonymous access, the worm accomplishes this by adding entries under the following key:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\Shares]
"drive_name"="(string in hex = CSCFlags=0, MaxUses=4294967295, Path="drive_name":\, Permissions=0, Remark="drive_name",
Type=0.
The worm verifies the presence of a network connection, by making a hidden request to a remote website. If the presence of a network is detected, the worm will attempt to execute its e-mail spreading routine. The worm has its own SMTP routine, enabling it to connect to an remote mail server and send out e-mails containing infected
attachments. E-mails sent by the W32/Ardurk.A@mm usually have the following format:
From: At times the From: address is a faked, it can either be faked as a non-existant e-mail address or an e-mail address the worm has harvested from the infected computer.
Subject: CARTOON (random number)
Attachment: CARTOON_(random number).exe
Body: The body is an HTML file, with the following text strings:
CARTOON (random number)
The #1 Site for: Cartoons, Hentai & Anime HORNY LITTLE TOONS
EXCLUSIVE HENTAI CONTENT
EROTIC ANIME MOVIES
NEVER SEEN BEFORE CARTOON SLUTS
JAPANESE MANGA TOONS
ENTER CARTOON (random number) HERE!!
To unsubscribe click here (where here is a link to an external website)
|
