Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Internet Worms

Net-Worm.Win32.Stavron.a

Detection added Mar 31 2006 09:06 GMT
Update released Mar 31 2006 10:39 GMT
Description added Nov 28 2006
Behavior Net-Worm

Technical details

This network worm infects computers running under Windows. The worm itself is a PE EXE file 352 768 bytes in size.

The worm spreads via local network resources and encrypts user data on the victim machine.

Payload

The worm spreads via local network resources. It infects machines with fixed IP addresses.

The worm attempts to connect to specific computers on the network in order to get the user and administrator name and password, and to gain access to a range of services on the infected machine.

If the current date on the victim machine is no later than 9th March 2006, the worm will:

  • read [HKCU\Volatile Environment\LOGONSERVER]
  • attempt to connect to a victim machine
  • use NetUserEnum on the victim machine
  • use NetUserGetInfo in order to get account information (e.g. get the adminstrator account name)
  • launch RemoteRegistry and Seclogon on the victim machine
  • use RegConnectRegistry to remotely open the system registry, read [HKLM\Software\Microsoft\WindowsNT\CurrentVersion\SystemRootNetShareEnum], and create a list of shared resources
  • read [HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\userinit] and write itself to this key
  • check for %System%\progrnam.exe and deletes this file if found
  • check that it is located in the system directory and ascribes itself the same attributes as %System32%\at.exe

The worm then uses the commands Randomize and RandInt to create a random 20 byte key.

The worm also creates the following file on the victim machine:

%System\atmsvc.dll (3026 bytes)

This file contains a randomly generated selection of symbols.

If the current date on the victim machine is earlier than 9th March 2006, the file will then cease running.

Otherwise, the worm will:

  • clear the Event Log
  • read [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit]
  • call NetWkstaGetInfo from the current computer
  • use NetUserEnum for all users of this computer
  • use NetUserGetInfo and NetUserSetInfo to change the password of the first user on the list to "@Iyun'243$!jav9”. (‘Iyun’ is in Cyrillic characters)

The worm then creates a list of all logical disks and of all files on the disks.

It deletes files in the following directories from the list:

  • Moi dokumetyi (Cyrillic)
  • My Documents@_
  • Documents and Settings
  • Program Files
  • Windows
  • WinNT
  • System Volume Information

It also deletes the following files from the list:

  • pagefile.sys
  • arcldr.exe
  • arcsetup.exe
  • Bootfont.bin
  • Ntldr
  • MSDOS.SYS
  • IO.SYS
  • CONFIG.SYS
  • boot.ini
  • NTDETECT.COM
  • AUTOEXEC.BAT

The worm then:

  • creates a new name for each file on the list: FILEISENCODED <:encrypted name of original file> and renames the files
  • checks that the file size is no larger than 100000000 bytes
  • creates a file called lkjhoiuy_$$00 and writes the encrypted file to this file. The original unencrypted file is then deleted, and the encrypted file is renamed with its origianl name.
Regardless of the actions of the malicious program, it will cease running 400 seconds after it has started. 		 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com