Drowor Worm
Malware - Viruses
W32.Drowor.B is a worm which spreads by infecting executable files on mapped drives. It ends security-related processes and attempts to download and execute malicious content on the compromised computer.
 Symantec has a writeup on their website.
Once executed, the worm copies itself as the following file:
     C:\Windows\Services.exe
     C:\Windows\System32\[RANDOM FOLDER]\Services.exe

It acreates a mutex so that only one instance of worm is running: [w32.trafox.A]

The worm creates one of the following registry entry, so that it runs every time Windows starts:
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"services" =
     "C:\Windows\System32\[RANDOM FOLDER]\Services.exe"
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"services" =
      "C:\Windows\System32\Services.exe"

The worm attempts to end the processes with names including the following strings:
     anti,apvxdwin, avengine, avg,avlite, AVSYNMGR, avup, AVWUPD32,AVXQUAR,
     ccapp, cclaw,center,debug,firewa,fix,griso,guard,hacker,hex,hijack,
     iknow,kick,LordPE,navw32,pavprsrv,pavsrv51,procexp,scan,secure,
     security, sysinter

It then attempts to update itself by downloading files from the differentlocations.
The worm searches for and deletes the old versions of the following files, if newer versions are available for download. The downloaded files are then saved as the following files:
     C:\Windows\System32\updater.exe
     C:\Windows\System32\x0f4rt.de
     C:\Windows\System32\x0f4rt.xe

The worm enumerates through any mapped drives it finds and infects any .exe or .scr files it finds.
It avoids infecting files with these extensions
     doc,eml,htm,html,shtml,txt,wab

The worm also avoids infecting protected system files and files containing the following strings:
     _un, dele, inst, master,pas, setup, sfx, unin, vise, wise

It attempts to run an ICMP Denial of Service (DoS) attack using the ping command against the following remote hosts:
     www.lc.net.id
     lc.net.id
     202.133.81.1 - 202.133.81.60
 Manually editing the registry to remove malware entries

You can edit the registry by using the windows built in registry editor. Click on Start > Run to open the run command box in XP, whereas in Vista the box is already open. type regedit and press Enter or Ok , that will open the registry editor. Now Click on Edit > Find. You can use this box to find a particular registry key/ value. In order to do that, copy the last part of the registry keys if they are inside curly braces {}, after the last / (forward slash) and then paste it into this box, or type in the name of the malware in the box and press "Find Next", if the search stops , you should either see a message saying "Finished searching through the registry"or it will stop at that key found. The found item will be displayed in blue selection. You can delete the entire key, that is the entry in the left side of the panel, once you confirm yourself that this key belongs to the malware by looking at the entire key and comparing it with the ones listed here, and by looking at the values that it has created in the right side of the panel. In case you are not sure if you want to remove the key, you can remove the values in the right side panel instead, that will also cripple the functioning of the malware. To delete a key/ value, use the mouse pointer to select it first, then right click on it to see a menu and select delete from it, then say yes to the confirmation alert. Alternately you can press the delete key on the keyboard to delete the selected entry.  You can also use the names of the files / folders created by the malware to search for their associated keys in the registry.

Once you have deleted an entry, press the F3 key on the keyboard to search for the next occurance of the entry, do this till you reach the end of the registry. Now copy the second registry key/ filename and repeat the above procedure. This is a tedious process and takes time  and effort, but there is no better way to make sure the malware is out of your computer. 

And the information below is coming from the latest infection of this worm, it will be  useful if you are trying to remove it form your computer.

The following folder was found on an infected computer
  C:\Windows\System32\0617152D
  C:\Windows\System32\0617152D\Services.exe

This process "services.exe" may be found in the TaskManager. End the process if found(this is the tricky part, because services.exe is a legitimate windows processes, but the virus creates a proces of the same name but in another location. You might have to use a free tool called Zenturi Program Checker to determine if the services.exe is legitimate or not. The authentic services.exe will be located at C:\Windows\system32\services.exe, if you have a file with similar name but located elsewhere then there is a reason to doubt) 

You may find the entry in windows startup, remove it if found.
C:\Windows\System32\0617152D\Services.exe

The following registry key runs the worm's servies.exe with every computer start [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    services = ""%System%\0617152D\Services.exe""
(if you delete the folder " C:\Windows\System32\0617152D" and then run CCleaner, Cleaner and the registry menus, then this entry will be automatically removed)

(Reprinted with permission from ThreatExpert)

 

Comments
Add New Search
Write comment
Name:
Email:
 
Title:
 

3.26 Copyright (C) 2008 Compojoom.com / Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."

< Prev   Next >
 
Privacy Policy