MSIL/Zamog [Threat Name] go to Threat

MSIL/Zamog.A [Threat Variant Name]

Category worm
Size 122034 B
Detection created Apr 20, 2010
Detection database version 5044
Aliases P2P-Worm.MSIL.Lolmehot.a (Kaspersky)
  W32.SillyFDC.BDL (Symantec)
  Generic.dx!rxe.trojan (McAfee)
Short description

MSIL/Zamog.A is a worm that spreads via shared folders and removable media.

Installation

When executed the worm copies itself in the following locations:

  • %temp%\­svchost.exe
  • %systemdrive%\­ntldr.exe
  • %system%\­drivers\­tmpp.exe

In order to be executed on system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%system%\­Userinit.exe,%temp%\­svchost.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Identities\­Software\­Microsoft\­Outlook Express\­5.0\­signatures]
    • "Default Signature" = "C:\­WINDOWS\­system32.htm/f"
  • [HKEY_CURRENT_USER\­Software\­Patchou\­Messenger Plus! Live\­GlobalSettings\­Scripts\­MSN PLUS]
    • "background" = "C:\­WINDOWS\­system32.htm"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "HideFileExt" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "SuperHidden" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoFind" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoFolderOptions" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­policies\­system]
    • "EnableLUA" = "0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows NT\­SystemRestore]
    • "DisableConfig" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows NT\­SystemRestore]
    • "DisableSR" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Firewall]
    • "ImagePath" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Firewall]
    • "DisplayName" = "Default Windows Firewall"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Firewall]
    • "ObjectName" = "LocalSystem"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Firewall]
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Firewall]
    • "ErrorControl" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Firewall]
    • "Type" = 110
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • ntldr.exe

The worm creates the following file:

  • %drive%\­autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.


The %drive%\ntldr.exe, %drive%\autorun.inf file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.

Spreading via P2P networks

The worm creates copies of itself in folders accesed by the following application:

  • BearShare
  • eDonkey2000
  • eMule
  • Gnucleus
  • Grokster
  • ICQ
  • KaZaa Lite
  • KaZaa
  • Morpheus
  • Direct Connect
  • Kazaa Media Desktop
  • LimeWire

The following filename is used:

  • %username%_naked.exe
  • %variable%.exe
  • %variable%.rar
  • %variable%ea-keygen.exe
  • %variable%ea-keygen.rar
  • 1000_worm_sources.exe
  • allexploits.exe
  • battlefield2-3.exe
  • battlefield2-3.rar
  • become_hacker.exe
  • best_porn.rar
  • best_porn.scr
  • bitdefender+crack.exe
  • britney_spears_naked.rar
  • britney_spears_naked.scr
  • C&C_%variable%.exe
  • C&C_%variable%.rar
  • callofduty.exe
  • callofduty3.exe
  • callofduty4.exe
  • callofduty5.exe
  • callofduty6.exe
  • cod6.exe
  • Conficker_removal.exe
  • Conficker_source.exe
  • ea_games-cdkey.exe
  • Emule_speedup.exe
  • every_youpornvid.pif
  • exploit_pack.exe
  • Flyff_PS.exe
  • game_collection.exe
  • Hacking.exe
  • how_to_be_an_hacker.pif
  • How_to_hack.exe
  • Cheatgenerator.exe
  • Icq_hack.exe
  • ICQ_hacker.exe
  • icq_unlimited.%variable%.exe
  • icq_unlimited.%variable%.rar
  • irc_bot_source.exe
  • Jessica_alba_screensaver.scr
  • Limewire_pro.exe
  • msn_plus.exe
  • nzm_bot.exe
  • PhotoshopCS3.exe
  • Porn_Jessica_Alba.exe
  • Rapidshare_account.exe
  • virtual_girls_all.rar
  • virtual_girls_all.scr
  • virusgen.exe
  • virusgen.rar
  • windows_vista.exe
  • windows_vista.rar
  • wormgenerator.exe
  • wormgenerator.rar

The %variable% represents a random number.

Spreading via shared folders

The worm searches for computers in the local network. It tries to copy itself in the following folders on a remote machine:

  • C$
  • IPC$
  • Admin$
  • D$
  • Print$

The worm tries to copy itself to the available shared network folders.


The following filename is used:

  • funny.scr
  • LOOL.pif
  • STUPID.scr
  • INSTALL.scr
  • README.scr
  • %variable%.scr

The following usernames are used:

  • administrator
  • admin
  • %username%

The following passwords are used:

  • %username%
  • admin
  • administrator
  • ass
  • bla
  • bla123
  • bruns
  • dont
  • fuck
  • homepc
  • jew
  • john
  • kevin
  • lol
  • lol123
  • love
  • me
  • myhomecomputer
  • myhomepc
  • omfg
  • omg
  • piss
  • root
  • shit
  • tom
  • user
  • xD

A string with variable content is used instead of %variable% .

Other information

The worm creates the following files:

  • %system%\­launch.bat
  • %system%\­launch.vbs
  • %system%\­launchh.bat
  • %system%\­launchh.vbs
  • %system%\­net.vbs
  • %windir%\­tmpp.log
  • %windir%\­system32.htm
  • %windir%\­tam.dll
  • %windir%\­input%variable%.blp
  • %windir%\­teest.txt
  • %windir%\­input123.blp
  • %windir%\­%variable%.blp
  • %system%\­wan.vbs
  • %windir%\­system32\­13l.dll
  • %windir%\­system32\­sys.rar
  • %windir%\­system32\­tomp.txt
  • %windir%\­krnsys.dll
  • %windir%\­temp.dtx
  • C:\­Windows\­System32\­logg.txt

The %variable% represents a random number.


The worm tries to download several files from the Internet.


The worm connects to the following addresses:

  • netmegasite.net
  • mh-2.gnet.ba

The files are saved into the following folder:

  • %system%/extract.exe
  • %system%/svchost001.exe
  • %system%/logstm.txt
  • %system%/logstm123.txt

The worm modifies the following file:

  • %windir%\­system32\­drivers\­etc\­hosts

The worm writes the following entries to the file, effectively disabling access to the specific Internet sites:

  • 127.0.0.1 avp.com
  • 127.0.0.1 customer.symantec.com
  • 127.0.0.1 dispatch.mcafee.com
  • 127.0.0.1 download.mcafee.com
  • 127.0.0.1 f-secure.com
  • 127.0.0.1 kaspersky.com
  • 127.0.0.1 liveupdate.symantec.com
  • 127.0.0.1 liveupdate.symantecliveupdate.com
  • 127.0.0.1 mast.mcafee.com
  • 127.0.0.1 mcafee.com
  • 127.0.0.1 metalhead2005.info
  • 127.0.0.1 my-etrust.com
  • 127.0.0.1 nai.com
  • 127.0.0.1 networkassociates.com
  • 127.0.0.1 rads.mcafee.com
  • 127.0.0.1 secure.nai.com
  • 127.0.0.1 securityresponse.symantec.com
  • 127.0.0.1 sophos.com
  • 127.0.0.1 symantec.com
  • 127.0.0.1 trendmicro.com
  • 127.0.0.1 update.symantec.com
  • 127.0.0.1 updates.symantec.com
  • 127.0.0.1 us.mcafee.com
  • 127.0.0.1 viruslist.com
  • 127.0.0.1 www.avast.com
  • 127.0.0.1 www.avp.com
  • 127.0.0.1 www.avp.com
  • 127.0.0.1 www.bitdefender.com
  • 127.0.0.1 www.ca.com ca.com
  • 127.0.0.1 www.eset.com
  • 127.0.0.1 www.f-prot.com
  • 127.0.0.1 www.f-secure.com
  • 127.0.0.1 www.f-secure.com
  • 127.0.0.1 www.grisoft.com
  • 127.0.0.1 www.kaspersky.com
  • 127.0.0.1 www.kaspersky.com
  • 127.0.0.1 www.mcafee.com
  • 127.0.0.1 www.mcafee.com
  • 127.0.0.1 www.microsoft.com
  • 127.0.0.1 www.my-etrust.com
  • 127.0.0.1 www.my-etrust.com
  • 127.0.0.1 www.nai.com
  • 127.0.0.1 www.networkassociates.com
  • 127.0.0.1 www.norman.com
  • 127.0.0.1 www.sophos.com
  • 127.0.0.1 www.sophos.com
  • 127.0.0.1 www.symantec.com
  • 127.0.0.1 www.symantec.com
  • 127.0.0.1 www.trendmicro.com
  • 127.0.0.1 www.viruslist.com

The worm connects to the following addresses:

  • http://www.whatismyip.com/automation/n09230945.asp

The worm executes the following commands:

  • netsh interface ip set dns * static 216.146.35.35,216.146.36.36
  • netsh firewall set opmode mode=disable

The worm copies itself to the following locations:

  • C:\­Documents and Settings\­user\­Application Data*
  • C:\­My Downloads
  • %programfiles%\­XPCode
  • C:\­Inetpub\­ftproot
  • C:\­appserv\­www\­%variable%
  • C:\­%programfiles%\­appserv\­www
  • C:\­Documents and Settings\­user\­Application DataMicrosoft\­Messenger
  • %systemdrive%\­*shar*
  • %systemdrive%\­*www*

The following filename is used:

  • %username%_naked.exe
  • 1000_worm_sources.exe
  • allexploits.exe
  • become_hacker.exe
  • bitdefender+crack.exe
  • callofduty.exe
  • callofduty3.exe
  • callofduty4.exe
  • callofduty5.exe
  • callofduty6.exe
  • cod6.exe
  • Conficker_removal.exe
  • Conficker_source.exe
  • ea_games-cdkey.exe
  • Emule_speedup.exe
  • every_youpornvid.pif
  • exploit_pack.exe
  • Flyff_PS.exe
  • game_collection.exe
  • Hacking.exe
  • how_to_be_an_hacker.pif
  • How_to_hack.exe
  • Cheatgenerator.exe
  • Icq_hack.exe
  • ICQ_hacker.exe
  • irc_bot_source.exe
  • Jessica_alba_screensaver.scr
  • Limewire_pro.exe
  • msn_plus.exe
  • nzm_bot.exe
  • PhotoshopCS3.exe
  • porn_%variable%.scr
  • Porn_Jessica_Alba.exe
  • Rapidshare_account.exe
  • skype_unlimited.exe
  • starcraft.exe
  • starcraft_ghost.exe
  • user.pif
  • user_sucks.exe
  • vb.net_ultra_worm.exe
  • VB6_install.exe
  • Vista_ultimate.exe
  • Warcraft3+expansion.exe
  • win_mediaplayer_11.exe
  • Windows_faster_tutorial.exe
  • Windows_NT.exe
  • windows_7_full.exe
  • Windows_Vista+Windows_7.exe
  • Windows7_withSerial.exe
  • WindowsVistaultimate.exe
  • WinXp.exe
  • WinXPpro.exe
  • Worldofwarcraft_crack.exe
  • worm_generator.exe
  • WOW_account.exe
  • yourmother.exe
  • Youtube_video_converter.exe
  • yugioh.exe

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.