Weekly Review - The worm that goes against “manele” returns

Trojan.Iframe.FO

Another JavaScript that infects possibly clean websites. It creates 2 invisible iframes (height 0) in the main page and detects which browser the victim is using. After this it loads different malware spreading pages inside the iframes in an attempt to infect the user.

The infected computers are marked with a cookie.

Win32.Worm.Delf.NFW

This is worm written in Delphi and seems to originate in Romania. It uses common Peer-2-Peer software to spread (StrongDC, ApexDC, DCPlusPlus and oDC).

Once executed, the worm creates a file named System32.F2.sys which it fills with a huge list of movie, software, crack and keygen names. After this, it checks for the existence of the above mentioned DC clients and will attempt to open the DCPlusPlus.xml file, usually found in the same folder of the application. This folder contains the clients configuration directives and the list of shared folders it can spread files from.

It will add the entry C:\Program Files\Common Files\System Internals 32bits\ and create the folder.

In it, the worm will create directories of every entry found in  System32.F2.sys. In those directories it will place copies of itself, with double extentions, for example: some_new_movie.avi.exe or some_new_movie.sub.exe. This way the worm will create over 1000 folders, in each one at least one copy of itself. Next time the infected user start his DC client, it will hash and share the whole folder, allowing the worm to spread.

It also creates the registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TuneUp which points to the file: C:\Program Files\Common Files\System Internals 32bits\TuneUp.exe  which will ensure the worm is executed on every system start.

It searches and deletes every file on the disk that contains one of the following sequences of characters: Adrian Minune, Adi De La Valcea, Adi De Vito, Alex de la Orastie, Ali Zaidi, Ady Pustiu, Babi Minune, Corina, Bocsa Copilul de Aur, Costel Biju, Ciofu, Cristi Dules, Cristian Rizescu, Dan Bursuc, danezu, Denisa, De Marco, Dj. Bengos, DJ Sebi, Don Genove, Elvis de la Bistrita, Florin Cristea, Florin Minune, Florin Mitroi, Florin Peste, Florin Salam, Fratii de Aur, Laura Vass, Liviu Pustiu, Liviu Guta, Jean de la Craiova, K-meleon, Kristiyana, Ionut Cercel, Marius de la Focsani, Mihaela Minune, Mihai Priescu, Mihaita Piticu, Minodora, Mr.Juve, Nea Kalu, Nek, Nicolae Guta, Nicoleta Guta, Octavian Francezul, Pedro Petrica, Cercel, Printesa de Aur, Roxana Printesa Ardealului, Rudy de la Valcea, Sandu Ciorba, Sorinel Pustiul, Sorinel Pustiu, Susanu, Suzana, Vali Vijelie, Violeta Constantin, Zaku.

It connects to serveral websites hosting media files (usually .mp3) and will attempt to download some of them in the folder C:\Program Files\Common Files\System Internals 32bits\res . Here are a couple of example domains:

graiulneamului.ro

proconsul.com.ro

earhiva.info/arhiva/cantari%20ortodoxe

downtown.evonet.ro/parazitii

The worm may also overwrite the hosts file with one of its own, that will redirect any acces to various music, warez or pornographic web-sites to the localhost (making them inaccesible).

Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad