MSIL/Zamog [Threat Name] go to Threat
MSIL/Zamog.A [Threat Variant Name]
| Category | worm |
| Size | 122034 B |
| Detection created | Apr 20, 2010 |
| Detection database version | 5044 |
| Aliases | P2P-Worm.MSIL.Lolmehot.a (Kaspersky) |
| W32.SillyFDC.BDL (Symantec) | |
| Generic.dx!rxe.trojan (McAfee) |
Short description
MSIL/Zamog.A is a worm that spreads via shared folders and removable media.
Installation
When executed the worm copies itself in the following locations:
- %temp%\svchost.exe
- %systemdrive%\ntldr.exe
- %system%\drivers\tmpp.exe
In order to be executed on system start, the worm sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Userinit" = "%system%\Userinit.exe,%temp%\svchost.exe"
The following Registry entries are set:
- [HKEY_CURRENT_USER\Identities\Software\Microsoft\Outlook Express\5.0\signatures]
- "Default Signature" = "C:\WINDOWS\system32.htm/f"
- [HKEY_CURRENT_USER\Software\Patchou\Messenger Plus! Live\GlobalSettings\Scripts\MSN PLUS]
- "background" = "C:\WINDOWS\system32.htm"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "HideFileExt" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "SuperHidden" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "ShowSuperHidden" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoFind" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoFolderOptions" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
- "EnableLUA" = "0"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
- "DisableConfig" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
- "DisableSR" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firewall]
- "ImagePath" = "%malwarefilepath%"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firewall]
- "DisplayName" = "Default Windows Firewall"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firewall]
- "ObjectName" = "LocalSystem"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firewall]
- "Start" = 2
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firewall]
- "ErrorControl" = 0
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Firewall]
- "Type" = 110
Spreading on removable media
The worm copies itself into the root folders of removable drives using the following name:
- ntldr.exe
The worm creates the following file:
- %drive%\autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
The %drive%\ntldr.exe, %drive%\autorun.inf file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.
Spreading via P2P networks
The worm creates copies of itself in folders accesed by the following application:
- BearShare
- eDonkey2000
- eMule
- Gnucleus
- Grokster
- ICQ
- KaZaa Lite
- KaZaa
- Morpheus
- Direct Connect
- Kazaa Media Desktop
- LimeWire
The following filename is used:
- %username%_naked.exe
- %variable%.exe
- %variable%.rar
- %variable%ea-keygen.exe
- %variable%ea-keygen.rar
- 1000_worm_sources.exe
- allexploits.exe
- battlefield2-3.exe
- battlefield2-3.rar
- become_hacker.exe
- best_porn.rar
- best_porn.scr
- bitdefender+crack.exe
- britney_spears_naked.rar
- britney_spears_naked.scr
- C&C_%variable%.exe
- C&C_%variable%.rar
- callofduty.exe
- callofduty3.exe
- callofduty4.exe
- callofduty5.exe
- callofduty6.exe
- cod6.exe
- Conficker_removal.exe
- Conficker_source.exe
- ea_games-cdkey.exe
- Emule_speedup.exe
- every_youpornvid.pif
- exploit_pack.exe
- Flyff_PS.exe
- game_collection.exe
- Hacking.exe
- how_to_be_an_hacker.pif
- How_to_hack.exe
- Cheatgenerator.exe
- Icq_hack.exe
- ICQ_hacker.exe
- icq_unlimited.%variable%.exe
- icq_unlimited.%variable%.rar
- irc_bot_source.exe
- Jessica_alba_screensaver.scr
- Limewire_pro.exe
- msn_plus.exe
- nzm_bot.exe
- PhotoshopCS3.exe
- Porn_Jessica_Alba.exe
- Rapidshare_account.exe
- virtual_girls_all.rar
- virtual_girls_all.scr
- virusgen.exe
- virusgen.rar
- windows_vista.exe
- windows_vista.rar
- wormgenerator.exe
- wormgenerator.rar
The %variable% represents a random number.
Spreading via shared folders
The worm searches for computers in the local network. It tries to copy itself in the following folders on a remote machine:
- C$
- IPC$
- Admin$
- D$
- Print$
The worm tries to copy itself to the available shared network folders.
The following filename is used:
- funny.scr
- LOOL.pif
- STUPID.scr
- INSTALL.scr
- README.scr
- %variable%.scr
The following usernames are used:
- administrator
- admin
- %username%
The following passwords are used:
- %username%
- admin
- administrator
- ass
- bla
- bla123
- bruns
- dont
- fuck
- homepc
- jew
- john
- kevin
- lol
- lol123
- love
- me
- myhomecomputer
- myhomepc
- omfg
- omg
- piss
- root
- shit
- tom
- user
- xD
A string with variable content is used instead of %variable% .
Other information
The worm creates the following files:
- %system%\launch.bat
- %system%\launch.vbs
- %system%\launchh.bat
- %system%\launchh.vbs
- %system%\net.vbs
- %windir%\tmpp.log
- %windir%\system32.htm
- %windir%\tam.dll
- %windir%\input%variable%.blp
- %windir%\teest.txt
- %windir%\input123.blp
- %windir%\%variable%.blp
- %system%\wan.vbs
- %windir%\system32\13l.dll
- %windir%\system32\sys.rar
- %windir%\system32\tomp.txt
- %windir%\krnsys.dll
- %windir%\temp.dtx
- C:\Windows\System32\logg.txt
The %variable% represents a random number.
The worm tries to download several files from the Internet.
The worm connects to the following addresses:
- netmegasite.net
- mh-2.gnet.ba
The files are saved into the following folder:
- %system%/extract.exe
- %system%/svchost001.exe
- %system%/logstm.txt
- %system%/logstm123.txt
The worm modifies the following file:
- %windir%\system32\drivers\etc\hosts
The worm writes the following entries to the file, effectively disabling access to the specific Internet sites:
- 127.0.0.1 avp.com
- 127.0.0.1 customer.symantec.com
- 127.0.0.1 dispatch.mcafee.com
- 127.0.0.1 download.mcafee.com
- 127.0.0.1 f-secure.com
- 127.0.0.1 kaspersky.com
- 127.0.0.1 liveupdate.symantec.com
- 127.0.0.1 liveupdate.symantecliveupdate.com
- 127.0.0.1 mast.mcafee.com
- 127.0.0.1 mcafee.com
- 127.0.0.1 metalhead2005.info
- 127.0.0.1 my-etrust.com
- 127.0.0.1 nai.com
- 127.0.0.1 networkassociates.com
- 127.0.0.1 rads.mcafee.com
- 127.0.0.1 secure.nai.com
- 127.0.0.1 securityresponse.symantec.com
- 127.0.0.1 sophos.com
- 127.0.0.1 symantec.com
- 127.0.0.1 trendmicro.com
- 127.0.0.1 update.symantec.com
- 127.0.0.1 updates.symantec.com
- 127.0.0.1 us.mcafee.com
- 127.0.0.1 viruslist.com
- 127.0.0.1 www.avast.com
- 127.0.0.1 www.avp.com
- 127.0.0.1 www.avp.com
- 127.0.0.1 www.bitdefender.com
- 127.0.0.1 www.ca.com ca.com
- 127.0.0.1 www.eset.com
- 127.0.0.1 www.f-prot.com
- 127.0.0.1 www.f-secure.com
- 127.0.0.1 www.f-secure.com
- 127.0.0.1 www.grisoft.com
- 127.0.0.1 www.kaspersky.com
- 127.0.0.1 www.kaspersky.com
- 127.0.0.1 www.mcafee.com
- 127.0.0.1 www.mcafee.com
- 127.0.0.1 www.microsoft.com
- 127.0.0.1 www.my-etrust.com
- 127.0.0.1 www.my-etrust.com
- 127.0.0.1 www.nai.com
- 127.0.0.1 www.networkassociates.com
- 127.0.0.1 www.norman.com
- 127.0.0.1 www.sophos.com
- 127.0.0.1 www.sophos.com
- 127.0.0.1 www.symantec.com
- 127.0.0.1 www.symantec.com
- 127.0.0.1 www.trendmicro.com
- 127.0.0.1 www.viruslist.com
The worm connects to the following addresses:
- http://www.whatismyip.com/automation/n09230945.asp
The worm executes the following commands:
- netsh interface ip set dns * static 216.146.35.35,216.146.36.36
- netsh firewall set opmode mode=disable
The worm copies itself to the following locations:
- C:\Documents and Settings\user\Application Data*
- C:\My Downloads
- %programfiles%\XPCode
- C:\Inetpub\ftproot
- C:\appserv\www\%variable%
- C:\%programfiles%\appserv\www
- C:\Documents and Settings\user\Application DataMicrosoft\Messenger
- %systemdrive%\*shar*
- %systemdrive%\*www*
The following filename is used:
- %username%_naked.exe
- 1000_worm_sources.exe
- allexploits.exe
- become_hacker.exe
- bitdefender+crack.exe
- callofduty.exe
- callofduty3.exe
- callofduty4.exe
- callofduty5.exe
- callofduty6.exe
- cod6.exe
- Conficker_removal.exe
- Conficker_source.exe
- ea_games-cdkey.exe
- Emule_speedup.exe
- every_youpornvid.pif
- exploit_pack.exe
- Flyff_PS.exe
- game_collection.exe
- Hacking.exe
- how_to_be_an_hacker.pif
- How_to_hack.exe
- Cheatgenerator.exe
- Icq_hack.exe
- ICQ_hacker.exe
- irc_bot_source.exe
- Jessica_alba_screensaver.scr
- Limewire_pro.exe
- msn_plus.exe
- nzm_bot.exe
- PhotoshopCS3.exe
- porn_%variable%.scr
- Porn_Jessica_Alba.exe
- Rapidshare_account.exe
- skype_unlimited.exe
- starcraft.exe
- starcraft_ghost.exe
- user.pif
- user_sucks.exe
- vb.net_ultra_worm.exe
- VB6_install.exe
- Vista_ultimate.exe
- Warcraft3+expansion.exe
- win_mediaplayer_11.exe
- Windows_faster_tutorial.exe
- Windows_NT.exe
- windows_7_full.exe
- Windows_Vista+Windows_7.exe
- Windows7_withSerial.exe
- WindowsVistaultimate.exe
- WinXp.exe
- WinXPpro.exe
- Worldofwarcraft_crack.exe
- worm_generator.exe
- WOW_account.exe
- yourmother.exe
- Youtube_video_converter.exe
- yugioh.exe
A string with variable content is used instead of %variable% .