| Malware name | Worm.Recycled.A | | Type | Worm | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 3CE7DC84B0D27EEE6DA0024D1ECAE4E6 | | Static file | yes | | Filesize | 13,824 Bytes | Alias names
(also known as) | | Webwasher Proactive | Win32.Malware.gen!86 | | Sophos | W32/Autoham-Fam | | McAfee | DDoS-Leba | | CA ETrust | Win32/Hamweq!generic |
| | Protection | | Webwasher Anti Malware | 7000.4201.x | | Webwasher Proactive | Database Version: 101 |
| | Side effects | - Drops a file
- Registry modification
- Third party control
| | Propagation | No own spreading routine |
|
Description:
Files
It copies itself to the following location:
• c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe
It creates the following directory:
• c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013
The following file is created:
– c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini This is a non malicious text file with the following content:
• [.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
Registry
The following registry key is added:
– [HKLM\Software\Microsoft\Active Setup\Installed Components\
{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
• StubPath="c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe"
Injection
– It injects itself into a process.
All of the following processes:
• firefox.exe
• explorer.exe
IRC
To deliver system information and to provide remote control it connects to the following IRC Servers:
Server: hail.dns2go.**********
Port: 7000
Server password: 01470147
Nickname: mtnelf
Server: scorti1.dns2go.**********
Port: 7000
Server password: 01470147
Nickname: mtnelf
– Furthermore it has the ability to perform actions such as:
• Launch DDoS SYN flood
• Launch DDoS UDP flood
• Join IRC channel
File details
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
