SymptomsThe worm copies itself to the WINDOWS SYSTEM directory (such as c:\windows\system32) using a random file name, and creates a registry run key to load automatically at system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Windows Update" = C:\WINDOWS\System32\[random name] .exe
An additional marker key is created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless
The worm is stealthy by nature and hides itself as a thread in the legitimate Windows EXPLORER.EXE process. Because of this, its process cannot be viewed in the process list using Task Manager.
The worm attempts to make a connection to a list of URLs on port 80. The connections are random and intermittent. Some of the targetted URLs are as follows:
1cvv.ru
www.redline.ru filesearch.ru
roboxchange.com
fethard.biz
asechka.ru
master-x.com
color-bank.ru
kavkaz.tv
crutop.nu
kidos-bank.ru
parex-bank.ru
adult-empire.com
konfiskat.org
citi-bank.ru
xware.cjb.ne
mazafaka.ru
The worm opens up ports on the infected machine, listening on 113 and 5111 (plus a random port as well).
Finally, the worm will remove certain Registry values from the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
The following values are deleted:
Windows Update
MS Config v13
avserve2.exeUpdate Service
avserve.exe
Windows Update Service
WinUpdate
SysTray
Bot Loader
System Restore
Service
Disk Defragmenter
Windows Security Manager
Method of InfectionThis worm exploits vulnerable Microsoft Windows systems. The worm scans IP addresses in the class A or class B subnets as well as random IP addresses, sending SYN packets on TCP port 445 to identify potential victims. Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and execute the virus on the victim system.
