Detection added	Nov 04 2006 00:10 GMT
Update released	Nov 04 2006 02:06 GMT
Description added	Aug 15 2007
Behavior	Internet Worm

• Technical details
• Payload
• Removal instructions

This malicious program is a worm. It is a Windows PE EXE file. It is 53 326 bytes in size. It is packed using UPX. The unpacked file is approximately 130KB in size. It is written in Delphi.

Installation

Once launched, the worm copies itself to %WinDir% as "services.exe":

In order to hide file extensions, it creates the following entries in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "dword:0x00000000"
"HideFileExt" = "dword:0x00000001"
"Hidden" = "dword:0x00000000"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "dword:0x00000001"

The worm also makes it impossible to use system utilities by creating the following registry entries:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCMD" = "dword:0x00000001"
"DisableRegistryTools" = "dword:0x00000001"

The worm also adds the following parameter to the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]       
"Service" = "%WinDir%\Cursors\services.exe" 

This ensures that the worm will be launched each time Windows is booted on the victim machine.

The worm copies its executable file to files in all folders on all hard disks where the name of the file coincides with the name of the folder.

Each copy of the worm will have a 'folder' icon.

If the worm has been launched from:

%WinDir%\Cursors\services.exe

it will check the current date. If the date is either 13th December, or any Friday 13th, the worm will copy itself to the root directory of all fixed disks as "Temp.exe". It will also copy itself as follows (the file name shown below is the English transcription of a file name written in Cyrillic):

%User%\Local Settings\Application Data\Microsoft\CD Burning\Novaya Papka.exe

The worm will then delete the contents of all fixed disks.

The worm will also attempt to terminate Windows if it detects an active window with one of the following strings in the window title (English transciption of Cyrillic text):

Redaktor reestra
Rezultati poiska
Nastroika systemi
Porno

1. Use Task Manager to terminate the "service.exe" process.
2. Delete the original worm file and all copies of the worm:
   %WinDir%\Cursors\services.exe
3. Delete the following parameters from the system registry (see What is a system registry and how do I use it for details on how to edit the registry).

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]       
   "Service" = "%WinDir%\Cursors\services.exe" 

4. Revert the following registry key values:

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "ShowSuperHidden" = "dword:0x00000000"
   "HideFileExt" = "dword:0x00000001"
   "Hidden" = "dword:0x00000000"

   to

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "ShowSuperHidden" = ""
   "HideFileExt" = ""
   "Hidden" = ""

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   "NoFolderOptions" = "dword:0x00000001"

   to

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   "NoFolderOptions" = ""

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   "DisableCMD" = "dword:0x00000001"
   "DisableRegistryTools" = "dword:0x00000001"

   to

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   "DisableCMD" = "dword:0x00000000"
   "DisableRegistryTools" = "dword:0x00000000"
    

5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).