CERT-MU :Vulnerability

Home | Search | FAQ | Site Map | Contact Us

|| Hotline : 800 2378 || To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu || To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||

Charter & Mission

CERT-MU Services

Constituency

Authority

Incident Reporting

Vulnerability Reporting

Incident Statistics Forms

Vol. 2, Feb 2012

Vol. 1, Oct 2011

World CERTs

Security Sites

Security Tools

Antivirus Resources

Email Abuse

Network Abuse

Anti-Spam Initiative

Cyber Security Portal

Safer Internet Day

Computer Security Day

National Computer Board

Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University

CERT-MU Virus Alert VA-2010-4

Worm: Win32/Pykspa.E

Original issue date: April 9, 2010

Win32/Pykspa.E is a family of worm that spreads through skype messaging, Twitter, removable devices or get installed by other malware ( TrojanDropper:Win32/Pykspa.A .)

It sends messages with a link to remote server hosting the worm copy. I t also disables access to security-related Web sites by modifying the hosts file and ends processes which may be security-related. The malware runs a web server on the victim machine to server copies of itself by opening a random ports chosen between 13000-63000.
The worm lowers the infected system settings by

Disable user access control, registry tools, Autorun in A:\,and certain security center settings
Prevents Windows Defender from running upon system startup
Prevents Windows Security Center from displaying alerts if the firewall or other security programs are disabled:
Removes the list of services to be started if the computer is started in safe mode:

The worm opens a backdoor and connects to a remote server and accepts commands to perform malicious activities viz steal personal information , download and execute arbitrary files etc.

Aliases:

Backdoor.Win32.Zepfod.a (Kaspersky), Win32/AutoRun.Agent.TG (ESET) ,WORM_VILSEL.SM (Trend Micro)
Up on execution the Worm ,

Creates a hidden system folder in %temp% directory and drops copies of itself with random file names
drops encrypted configuration file in the following directories

system%
%ProgramFiles%
%appdata%
%Temp%

Connects to the following sites to know the victim's IP

www.showmyipaddress.com
whatismyipaddress.com
whatismyip.ca
whatismyip.everdot.org

Requests any of the below given domains to know the
current date and time form the HTTP header ebay.com,
baidu.com ,imdb.com,,bbc.co.uk ,adobe.com blogger.com,
wikipedia.org,yahoo.com ,youtube.com ,myspace.com,
facebook.com ,google.com

ebay.com,baidu.com,imdb.com,,bbc.co.uk,
adobe.com blogger.com ,wikipedia.org,
yahoo.com ,youtube.com ,myspace.com ,
facebook.com ,google.com

Creates the registry entries to ensure to run
every system start-up

HKLM\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run<random(14 chars)>
="malware path (16-22 chars)"
KLM\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunOnce\<random>
="malware path"
KLM\SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\
Run\<random>="malware path"
KCU\Software\Microsoft\Windows\
CurrentVersion\Run\<random>="malware path"
KCU\Software\Microsoft\Windows\CurrentVersion\
RunOnce\<random>="malware path"

Modifies the following registries

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\system\"EnableLUA"=0 Attempts to connect
to any the following IRCserver
KLM\Software\Microsoft\Windows\CurrentVersion\
Policies\System
KCU\Software\Microsoft\Windows\CurrentVersion\
Policies\System\ DisableRegistryTools=1
KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\system\ConsentPromptBehaviorAdmin=0
KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\system\ConsentPromptBehaviorUser=0
KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\system\EnableInstallerDetection=0
KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\system\EnableSecureUIAPaths=0
KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\system\EnableVirtualization=0
KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\system\PromptOnSecureDesktop=0
KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\system\ValidateAdminCodeSignatures=0
KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\system\FilterAdministratorToken=0
KLM\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\NoDriveTypeAutoRun=1
KCU\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\NoDriveTypeAutoRun=1
KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL\
CheckedValue=145

Sends skype messages to the address in the contact list with link to the worm copy with the following subjects

Hello,hi,how are you ,hello again ,you skype version is old ,what are you?, from where are you? ,what are you doing in my contacts? , so what do you think? etc

Searches for windows with “Twitter” in title. If a window is found, the malware pastes messages into the window’s input box, and sends these messages.
Connects to a remote server and accepts commands to perform the following

Spread via mapped drives, Spread via network shares, Spread via Skype messaging, Spread via Twitter , Download and execute arbitrary files , Execute an existing file , Steal information ,
Change port of local webserver , Sleep ,Terminate processes , Delete files , Stop, running , Shut down Windows , Modify the registry ,Place data in clipboard, Modify the hosts file

Users are advised to implement the following countermeasures:

Search for the malicious files ,registry entries created by the worm and delete the same
Install and maintain an updated anti-virus software at gateway and desktop level
Use caution when opening attachments and accepting file transfers
Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities
Disable autorun.
Install and maintain Firewall at Desktop level
Block the IRC service and related ports ,if not required
Use caution when opening attachments and accepting file transfers

References

http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=Worm%3aWin32%2fPykspa.E
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=Worm%3aWin32%2fPykspa.C
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=Worm%3aWin32%2fPykspa.A
http://www.symantec.com/security_response/writeup.jsp?
docid =2007-091011-2911-99&tabid=2
http://vil.nai.com/vil/content/v_143083.htm
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Search.aspx?query=Pykspa

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

E-mail:

Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
9th Floor, Stratton Court
La Poudriere Street
Port Louis