Win32/Chainsaw [Threat Name] go to Threat

Win32/Chainsaw.C [Threat Variant Name]

Category worm
Size 35328 B
Detection created Oct 06, 2010
Detection database version 5509
Aliases Worm.Win32.Chainsaw.a (Kaspersky)
  W32/Chainsaw.worm (McAfee)
  W32.Chainsaw.Worm (Symantec)
Short description

Win32/Chainsaw.C is a worm that spreads via network exploiting vulnerabilities of the operating system.

Installation

When executed, the worm copies itself into the following location:

  • %system%\­WINMINE.EXE

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Mines" = "%system%\­WINMINE.EXE"

The worm modifies the following file:

  • %windir%\­win.ini

The worm may create the following files:

  • %malwarefolder%\­BBQ666.COM
Payload information

The worm overwrites the Boot Record of all drives with its own data.


The written data contains the following string:

THE FILM WHICH YOU ARE ABOUT TO SEE IS AN ACCOUNT OF THE TRAGEDY WHICH BEFELL A GROUP OF FIVE YOUTHS. IN PARTICULAR SALLY HARDESTY AND HER INVALID BROTHER FRANKLIN. Sally Hardesty IN PARTICULAR AND HER BROTHER FRANKLIN INVALID. IT IS ALL THE MORE TRAGIC IN THAT THEY WERE YOUNG. IT IS ALL THE MORE TRAGIC IN THAT THEY WERE YOUNG. BUT, HAD THEY LIVED VERY, VERY LONG LIVES, THEY COULD NOT HAVE EXPECTED NOR WOULD THEY HAVE WISHED TO SEE AS MUCH OF THE MAD AND MACABRE AS THEY WERE TO SEE THAT DAY. BUT, THEY HAD Lived VERY, VERY LONG LIVES, THEY COULD NOT HAVE EXPECTED NOR WOULD THEY HAVE TO SEE AS MUCH WISHES OF THE MACABRE AND MAD AS THEY WERE TO SEE THAT DAY. FOR THEM AN IDYLLIC SUMMER AFTERNOON DRIVE BECAME A NIGHTMARE. Idyllic THEM FOR AN AFTERNOON DRIVE SUMMER Became A Nightmare. THE EVENTS OF THAT DAY WERE TO LEAD TO THE DISCOVERY OF ONE OF THE MOST BIZARRE CRIMES IN THE ANNALS OF AMERICAN HISTORY, THE TEXAS CHAIN SAW MASSACRE... THE EVENTS OF THAT DAY WERE TO LEAD TO THE DISCOVERY OF ONE OF THE MOST BIZARRE CRIMES IN THE ANNALS OF AMERICAN HISTORY, THE TEXAS CHAIN SAW MASSACRE ...
Spreading

Win32/Chainsaw.C is a worm that spreads via network exploiting vulnerabilities of the operating system.


The worm generates random IP addresses.


It tries to connect to remote machines to ports:

  • 139
  • 12345
  • 12346
  • 27374

If successful, the remote computer attempts to connect to the infected computer and download a copy of the worm .


The following filename is used:

  • Chainsaw.exe

The worm modifies the following file:

  • \­\­%remotemachine%\­%windir%\­win.ini

The worm writes the following entries to the file:

  • run=%malwarepath%

This causes the worm to be executed on every system start.

Other information

The worm affects the behavior of the following applications:

  • ZoneAlarm

The worm can be used for sending spam.

Please enable Javascript to ensure correct displaying of this content and refresh this page.