Thursday, December 06, 2007

SXS.EXE WORM

This memory-resident worm propagates by dropping a copy of itself as SXS.EXE in drive A and other mounted drives of affected systems. To ensure that the dropped file executes automatically, it also drops AUTORUN.INF in the aforementioned drives.

When executed, its drops a copy of itself and its component .DLL file. It then injects the said file to several running processes, enabling it execute at every system startup.

This .DLL is also used to hook or steal information from the affected system.

This worm is capable of terminating running processes related to antivirus and security applications if found running in memory. This action is caused by deleting specific entry data values in a certain registry key.

There has be a script created to removed this worm automatically from your memory stick (flash drive) when you plug your memory stick into the machines on campus.

If you think you have a the virus at home, please follow the link below that will describe how to remove it yourself: http://www.trendmicro.com.au/consumer/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=1&VName=WORM_QQPASS.XL&highlight=WORM_QQPASS.XL


W32/QQPass.worm


Overview -

-- Update 12 March 2007 --

A new variant of this threat is recently found. Like most other variants, it can spread over network shares and removable media, creating the following file(s):

  • X:\AutoRun.inf
  • X:\setup.exe (W32/QQPass.worm)

(Where X: is the drive letter of the removable media or network share)

-- Update 13 February 2007 --

Other than stealing IM passwords, a recent variant of this threat were found to be routinely starting up the web browser and displaying pornographic website(s) hosted on one or more of the following domain(s):

  • {blocked}.021mm8.com

-- Update 17 October 2006 --

W32/QQPass.worm has been deemed Low-Profiled due to media attention at http://www.macworld.co.uk/news/index.cfm?NewsID=16172&Page=1&pagePos=7

-- Update 16 October 2006 --

McDonald's in Japan announced that the MP3 players it gave away to its customers were infected with a variant of the W32/QQPass.worm virus. Connecting this MP3 player to a compatible Windows PC may result in its infection and subsequent theft of password information. An autorun.inf file present on the USB media may trigger the installation of a Windows PE file on the host machine (md5: 7E0534D3F797C15B3A532217765AA2EE / 166520 bytes).

This threat was detected as PWS-QQRob.dll trojan since DAT 4859 (September 25th, 2006).

----

W32/QQPass.worm is a generic detection for worms that steals password information from QQ, a popular Instant Messaging application in China. These worms may spread through spam, instant messaging, removable media and other means.

Characteristics

Characteristics -

-- Update 12 March 2007 --

A new variant of this threat is recently found. Like most other variants, it can spread over network shares and removable media, creating the following file(s):

  • X:\AutoRun.inf
  • X:\setup.exe (W32/QQPass.worm)

(Where X: is the drive letter of the removable media or network share)

This variant also copies itself to %windir%\system\internat.exe and executes the binary with parameter /SleepDown.

-- Update 13 February 2007 --

Other than stealing IM passwords, a recent variant of this threat were found to be routinely starting up the web browser and displaying pornographic website(s) hosted on one or more of the following domain(s):

  • {blocked}.021mm8.com

It also hooks itself to application startups by modifying the following Windows Registry key(s):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe wuaucl1.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\exefile\shell\open = "wuaucl1.exe "%1" %*"

Several copies of itself are installed at:

  • %Windir%\cmd.com
  • %Windir%\svchost.com
  • %Windir%\wuauclt1.exe
  • %Windir%\System32\driver.exe

(Where %Windir% is the Windows folder, e.g. C:\Windows)

Like most other variants, it can spread over network shares and removable media, creating the following file(s):

  • X:\AutoRun.inf
  • X:\update.exe (W32/QQPass.worm)

(Where X: is the drive letter of the removable media or network share)

-- Update 17 October 2006 --

W32/QQPass.worm has been deemed Low-Profiled due to media attention at http://www.macworld.co.uk/news/index.cfm?NewsID=16172&Page=1&pagePos=7

-- Update 16 October 2006 --

McDonald's in Japan announced that the MP3 players it gave away to its customers were infected with a variant of the W32/QQPass.worm virus. Connecting this MP3 player to a compatible Windows PC may result in its infection and subsequent theft of password information. An autorun.inf file present on the USB media may trigger the installation of a Windows PE file on the host machine (md5: 7E0534D3F797C15B3A532217765AA2EE / 166520 bytes).

This theat was detected as PWS-QQRob.dll trojan since DAT 4859 (September 25th, 2006).

Upon the execution, the worm drops the following files.

  • %SYSTEMDIR%\svohost.exe ( 166520 bytes )
  • %SYSTEMDIR%\winscok.dll ( 33280 bytes ) (detected as PWS-QQRob.dll)

It also copies itself to the removable drives.

  • sxs.exe ( 166520 bytes )
  • autorun.inf

The machine connecting to the removable drives will end up executing the worm.

The following registry keys are added.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    \soundmam="%SYSTEMDIR%\SVOHOST.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoDrivetypeautorun="189"

The accompanying DLL component monitors the window of Chinese Instant Messenger QQ.exe and logs keystrokes. The information is sent to the author both via smtp and http.

The worm terminates the following services.

  • KVWSC
  • KVSrvXP
  • kavsvc
  • RsRavMon
  • RsCCenter
  • RsRavMon

The worm terminates the following processes.

  • PFW.exe
  • Kav.exe
  • KVOL.exe
  • KVFW.exe
  • TBMon.exe
  • kav32.exe
  • kvwsc.exe
  • CCAPP.exe
  • EGHOST.exe
  • KRegEx.exe
  • kavsvc.exe
  • VPTray.exe
  • RAVMON.exe
  • KavPFW.exe
  • SHSTAT.exe
  • RavTask.exe
  • TrojDie.kxp
  • Iparmor.exe
  • MAILMON.exe
  • MCAGENT.exe
  • KAVPLUS.exe
  • RavMonD.exe
  • Rtvscan.exe
  • Nvsvc32.exe
  • KVMonXP.exe
  • Kvsrvxp.exe
  • CCenter.exe
  • KpopMon.exe
  • RfwMain.exe
  • KWATCHUI.exe
  • MCVSESCN.exe
  • MSKAGENT.exe
  • kvolself.exe
  • KVCenter.kxp
  • kavstart.exe
  • RAVTIMER.exe
  • RRfwMain.exe
  • FireTray.exe
  • UpdaterUI.exe
  • KVSrvXp_1.exe
  • RavService.exe

----

W32/QQPass.worm is a generic detection for worms that steals password information from QQ, a popular Instant Messaging application in China. These worms may spread through spam, instant messaging, removable media and other means.

Symptoms

Symptoms -

  • Existence of files and registry keys mentioned.

Method of Infection

Method of Infection -

  • The worm spread via removable drives

Removal -

Removal -

All Users :

  • Restart Windows in Safe Mode
  • Use current engine and DAT files for detection and removal.
  • Restart the computer

Additional Windows ME/XP removal considerations

Stinger:

A Stinger Standalone removal tool has been released to assist in repairing this threat.

Variants

Variants -

    N/A

0 Comments:

Post a Comment

<< Home