In less than two months the size of the malicious code has increased to three times the original size and the functionality grew from spammer to infostealer to worm. Protection Initial Rapid Release version April 21, 2008 revision 001 Latest Rapid Release version April 21, 2008 revision 001 Initial Daily Certified version April 21, 2008 revision 003 Latest Daily Certified version April 21, 2008 revision 003 Initial Weekly Certified release date April 23, 2008 Threat Assessment Wild Wild Level: Low Number of Infections: 0 - 49 Number of Sites: 0 - 2 Geographical Distribution: Low Threat Containment: Easy Removal: Easy Damage Damage Level: Medium Payload: May download potentially malicious files. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates. Security Response will continue keeping a close eye on this threat as we’ll undoubtedly see new versions again. AE Risk Level 1: Very Low Discovered: April 20, 2008 Updated: April 21, 2008 AM Type: Virus Infection Length: 57,344 bytes Systems Affected: Windows 2000, Windows NT, Windows XP SUMMARY Note: Virus definitions dated April 20, 2008 or earlier detect this threat as W32. Distribution Distribution Level: Low Target of Infection: Infects executable files TECHNICAL DETAILS When the virus is executed, it copies itself as the following file: %System%\drivers\[RANDOM FILE NAME]The virus creates the following mutex so only one instance of the virus is running: Op1mutx9 It then creates the following registry subkeys: HKEY_CURRENT_USER\Software\[USER NAME]914 HKEY_LOCAL_MACHINE\SYSTEM\Control Set001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80 HKEY_LOCAL_MACHINE\SYSTEM\Control Set001\Enum\Root\LEGACY_IPFILTERDRIVER It then creates the following registry entry so that it bypasses the Windows Firewall: HKEY_LOCAL_MACHINE\SYSTEM\Control Set001\Services\Shared Access\Parameters\Firewall Policy\Standard Profile\Authorized Applications\List\"[INFECTED FILE]" = "[INFECTED FILE]:*: Enabled:ipsec" It modifies the following registry entries: HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Internet Setting\"Global User Offline" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\policies\system\"Enable LUA" = "0" The virus also deletes entries in the following registry subkeys: HKEY_CURRENT_USER\System\Current Control Set\Control\Safe Boot HKEY_LOCAL_MACHINE\SYSTEM\Current Control Set\Control\Safe Boot HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Ext\Stats HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Ext\Stats HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Ext\Stats HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Ext\Stats HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Browser Helper Objects HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Explorer\Browser Helper Objects It then registers itself as a new service with the following characteristics: Service Name: WMI_MFC_TPSHOKER_80 Display Name: WMI_MFC_TPSHOKER_80 Startup Type: Automatic It then deletes itself. If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied. Confessa.2; Deleted.; ctgt86.exe; C:\WINDOWS; Win32. In early December the downloaded code only contained the components described above: the dropper, the sys file, and the spamming component. Near the end of last year we found that a new payload was added and the downloaded code increased to 103k in size. Limar.2196; Deleted.; netdex.exe; C:\WINDOWS\system32; Trojan. Down Loader.55117; Deleted.; cdbg32.exe; C:\WINDOWS\system32; Probably DLOADER.
The payload is not saved as a file on disk but only exists in memory, so how can it run after the system is restarted? It contains the downloading code like the original Trojan. Limar; Deleted.; a.exe; C:\WINDOWS\system32; Trojan. Mul Drop.12184; Deleted.; 3.tmp; C:\WINDOWS\system32; Trojan. Proxy.1930; Deleted.; 5.tmp; C:\WINDOWS\system32; Trojan. Proxy.1930; Deleted.; ipxrir32.dll; C:\WINDOWS\system32; Win32.
Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched. To recovery your files you need to buy our decryptor.
Down Loader.59084; Deleted.; delextra.exe; C:\; Trojan.
Train employees not to open attachments unless they are expecting them.
Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses.
Link Id=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main, Search Page = Limar.2228; Deleted.; kbdgmqqm.dll; C:\WINDOWS\system32; Win32.