Worm:Win32/Pykspa.C is a worm that spreads via Skype messaging, Twitter, mapped drives and network shares. It contains a backdoor that allows it to execute arbitrary commands from a remote attacker.
Installation
When run, it creates a hidden system folder at %temp%\ (for example %temp%\symchskoblw).
It makes a number of copies of itself (which may have random data appended) in the temp folder with pseudo-random file names (for example lmvggm.exe). It may also change its icon to one copied from a random executable selected from the %ProgramFiles% folder.
If the system is currently in safe mode, it forces a reboot.
Depending on how it was launched, it may show a Windows Explorer window, displaying the contents of the folder that it was opened from.
It creates a number of registry entries intended to ensure that its various copies are launched upon system startup. These also use pseudo-random values. For example:
Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "owmelysynzmxt" (14 chars)
With data: "ymigtmmytlevxpucuoq.exe" (16-22 chars)
Adds value: "ymigtmmytlevxpucuoq"
With data: "%temp%\navsewvgarjzarvctm.exe"
Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Adds value: "pypiqezgwjxjgt"
With data: "ymigtmmytlevxpucuoq.exe ."
Adds value: "navsewvgarjzarvctm"
With data: "xibwgwtcujznmbdi.exe ."
Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Adds value: "scuoxmiqhvkxvjk"
With data: "xibwgwtcujznmbdi.exe"
Adds value: "pwlciunsgrdn"
With data: "%temp%\aqoodyaolfatxryicycve.exe"
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "xibwgwtcujznmbdi"
With data: "laxwkefsohbtwpvexsvn.exe"
Adds value: "owmelysynzmxt"
With data: "%temp%\ navsewvgarjzarvctm.exe"
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Adds value: "eqkgrigqjzqffvyeu"
With data: "xibwgwtcujznmbdi.exe ."
Adds value: "pypiqezgwjxjgt"
With data: "%temp%\ xibwgwtcujznmbdi.exe ."
It writes files with encrypted configuration information to the following folders:
-
%system%
-
%ProgramFiles%
-
%appdata%
-
%Temp%
These files also have pseudo-random file names, including their extension (e.g. nzszlzrfrylzvnnzszlzrfrylzvnnzszlzr.ryl or efnjknuxyuwzkrghplmpwzaw.bmt)
Spreads via…
Mapped drives
If commanded to do so, the malware enumerates all mapped drives attached to the system and attempts to copy itself to the root folder of the drive with a pseudo-random file name with a .bat extension (e.g. owmelysynzmxt.bat). It also places an autorun.inf file in the root folder pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Network shares
If the WinRAR compression utility is installed on the system, the malware searches the user’s My Documents folder for files with the following extensions:
.doc
.jpg
.jpeg
.rtf
.gif
.ppt
.xls
.bmp
.3gp
.txt
Once it has found four of these files, it uses rar.exe to create a compressed archive containing the four files, as well as a copy of itself with one of the following file names with an .exe extension:
Sample Music
My Music
Sample Pictures
My Pictures
Intel 32
Blank Bkgrd
Citrus Punch Bkgrd
Clear Day Bkgrd
Fiesta Bkgrd
Glacier Bkgrd
Leaves Bkgrd
Maize Bkgrd
Nature Bkgrd
Network Blitx Bkgrd
Pie Charts Bkgrd
If commanded to do so, the malware attempts to connect via port 445 to other systems on the network and enumerate their available network shares. If any are found, it copies the archive to these shares.
Skype messaging
If commanded to do so and Skype is installed, the malware attempts to send one of the following messages to the user’s contacts, as well as a URL for a copy of itself being served from the local machine (see Payload section below for additional detail). Note that %s may indicate another of the messages below, or other data retrieved from the user’s Skype configuration.
Hello
hi
how are you
hello again
you skype version is old
what are you?
from where are you?
what are you doing in my contacts?
as I said %s
so %s
%s :D
look %s
here %s
so what do you think?
what is in that link on your skype?
do you have camera on skype?
is it really your web site?
what do you think about that?
what is there?
pudge women ;)
piece of shit now everyone know ;)
idiot what are you doing
crazy bitch
why dont you speak
I saw you photo. I would like to speak with you
I saw you last week. I would like to speak with you
I watching you long time. I would like to speak with you
%s I know what you did
%s :D :D :D idiot name
i lost my job.. i am idiot.. i want to die..
(beer) ?
nice ass :* muhahahaaahaha
little boy :]]]] I know about your little problem :D
gay :D
what new?
what the f**k is that ?
bad news
dude
bitch
niger
impotent
It checks the user interface language defined in the user’s Skype configuration, and if this language is one from the list below, it instead uses a translated equivalent of the above messages.
English
German
Russian
Romanian
Danish
Polish
Italian
Latvian
French
Gaelic
Slovakian
Lithuanian
Spanish
Norwegian
Estonian
Swedish
Czech
Twitter
If commanded to do so, the malware searches for windows with “Twitter” in their title. If a window is found, the malware pastes messages into the window’s input box, and sends these messages.
Payload
Allows backdoor access and control
The malware connects to a remote server which may respond with a command for it to execute. Possible commands may include:
-
Spread via mapped drives
-
Spread via network shares
-
Spread via Skype messaging
-
Spread via Twitter
-
Download and execute arbitrary files
-
Execute an existing file
-
Steal information
-
Change port of local webserver
-
Sleep
-
Terminate processes
-
Delete files
-
Stop running
-
Shut down Windows
-
Modify the registry
-
Place data in clipboard
-
Modify the hosts file
Runs Web server
The malware runs a Web server on the affected system, which allows it to serve copies of the malware or other files to users that follow the links in messages that the malware sends to them. The port used by the server is randomly chosen between 13000 and 63000, and may also be configured to a particular value by the backdoor’s controller.
Steals information
The malware may query the user’s Skype configuration in order to obtain their personal information, or the personal information of their contacts. This information might include:
-
Full names
-
Gender and date of birth
-
Addresses and phone number
-
Online status
-
Skype account balance
-
Skype capabilities (for example, voicemail, video)
-
Skype mood text
-
Chat history
Deletes System Restore points
The malware attempts to prevent the user from being able to restore their system to an earlier state by attempting to delete the entire contents of the “\System Volume Information” folder on the C:\ drive, and any other drives where it might be present.
Modifies security settings
The malware makes a number of registry modifications in order to lower security settings:
Disable User Account Control:
Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Sets value: "EnableLUA"
With data: 0
Disables registry tools:
Under keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: 1
Changes various system policies:
Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Sets value: "ConsentPromptBehaviorAdmin"
With data: 0
Sets value: "ConsentPromptBehaviorUser"
With data: 0
Sets value: "EnableInstallerDetection"
With data: 0
Sets value: "EnableSecureUIAPaths"
With data: 0
Sets value: "EnableVirtualization"
With data: 0
Sets value: "PromptOnSecureDesktop"
With data: 0
Sets value: "ValidateAdminCodeSignatures"
With data: 0
Sets value: "FilterAdministratorToken"
With data: 0
Disables Autorun for drive A:
Under keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoDriveTypeAutoRun"
With data: 1
Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Sets value: "CheckedValue"
With data: 145
Disables certain Security Center settings:
Under key: HKLM\SOFTWARE\Microsoft\Windows\Security Center
Sets value: "AntiVirusOverride"
With data: 1
Sets value: "FirewallOverride"
With data: 1
S
ets value: "UacDisableNotify"
With data: 1
Sets value: "AntiVirusDisableNotify"
With data: 1
Sets value: "FirewallDisableNotify"
With data: 1
Sets value: "UpdatesDisableNotify"
With data: 1
Prevents Windows Defender from running upon system startup:
Under key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Deletes value: "Windows Defender"
Prevents Windows Security Center from displaying alerts if the firewall or other security programs are disabled:
Under key: HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects
Deletes subkey: {FD6905CE-952F-41F1-9A6F-135D9C6622CC}
Removes the list of services to be started if the computer is started in safe mode:
Under key: HKLM\SYSTEM\CurrentControlSet\Control
Deletes subkey: SafeBoot
Stops and disables services
The malware attempts to stop and disable the following services:
TrustedInstaller
MpsSvc
wscsvc
SharedAccess
WinDefend
Wuauserv
BITS
ERSvc
WerSvc
Closes windows
The malware may attempt to close any windows which have any of the following strings in their title text:
Regedit
Spyware
Rstrui
Procmon
Regmon
Eset
Procexp
IceSword
Sysclean
dr. web
dr.web
esetsmart
soft security e
internet security
Restauration du sy
trend micro
Sistemos atk
Antivir
Sysinternals
Registry
NetTools
Zonealarm
Firewall
avg
computer management
virus
worm
system configuration
Hiajck
Hijack
security center
system restore
antivirus
antianti
Process Ex
Process Ha
Blocks access to Web sites
The malware may attempt to block access to Web sites whose addresses contain the following strings:
ahnlab
arcabit
avast
avg.
avira
avp.
bit9.
castlecops
centralcommand
cert.
clamav
tcpview
comodo
computerassociates
cpsecure
defender
drweb
emsisoft
esafe
eset –
etrust
ewido
f-prot
f-secure
fortinet
gdata
grisoft
hacksoft
hauri
ikarus
jotti
k7computing
Kaspersky
Malware
mcafee
networkassociates
nod32
norman
norton
panda
pctools
prevx
quickheal
rising
rootkit
sans.
securecomputing
sophos
spamhaus
spyware
sunbelt
symantec
threatexpert
trendmicro
vet.
Virus
Wilderssecurity
windowsupdate
Additional information
The malware has been observed to be installed by a dropper such as TrojanDropper:Win32/Pykspa.A. This dropper also installs a component which attempts to uninstall assorted security software from the system. This component may be detected as Trojan:Win32/Killav.DR.
The malware may connect to one of the following servers in an attempt to determine the IP address of the system it is installed in:
-
www.showmyipaddress.com
-
whatismyipaddress.com
-
whatismyip.ca
-
whatismyip.everdot.org
The malware contacts a commonly used Web server, randomly chosen from the list below, and uses information from the returned HTTP header to determine the current date and time. These sites include:
ebay.com
baidu.com
imdb.com
bbc.co.uk
adobe.com
blogger.com
wikipedia.org
yahoo.com
youtube.com
myspace.com
facebook.com
google.com
Analysis by David Wood
