W32.Magflag.A@mm

[TJ]

W32.Magflag.A@mm is a mass-mailing worm that also spreads to file sharing networks. It also downloads and execute remote files.

When W32.Magflag.A@mm is executed, it performs the following actions:

   1. Runs a legitimate process, svchost.exe, and injects itself into the process so that all subsequent actions will appear to be taken by svchost.exe.

   2. Copies itself as %System%\winldr.exe.

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   3. Adds the value:

      "Shell" = "Explorer.exe winldr.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

      so that it runs every time Windows starts.

   4. Modifies the value:

      "%System%\svchost.exe" = "%System%\svchost.exe:*:Enabled:svchost"

      in the registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
      StandardProfile\AuthorizedApplications\List

      in an attempt to bypass the Windows firewall.

   5. Attempts to download and run the following files:

          * [http://]topdresser.ca/[REMOVED]/flg.exe
          * [http://]muirventures.ca/[REMOVED]/flg.exe
          * [http://]uh.gameage.co.uk/[REMOVED]/flg.exe
          * [http://]fire-clan.org.uk/[REMOVED]/flg.exe
          * [http://]signtrainer.com/[REMOVED]/flg.exe
          * [http://]theemmauscommunity.org/[REMOVED]/flg.exe
          * [http://]frontdoorproductions.net/[REMOVED]/flg.exe
          * [http://]actionwebdevelopment.com/[REMOVED]/flg.exe
          * [http://]parablenewmedia.com/[REMOVED]/flg.exe
          * [http://]traxxinc.com/[REMOVED]/flg.exe
          * [http://]realestatesolutionsplus.com/[REMOVED]/flg.exe
          * [http://]cosmoflash.com/[REMOVED]/flg.exe
          * [http://]fooyagi.com/[REMOVED]/flg.exe
          * [http://]pnimaging.com/[REMOVED]/flg.exe
          * [http://]cosmed-hair.com/[REMOVED]/flg.exe

            Note: At the time of analysis, the files were not available.

   6. Downloads a file winldr.ini from the same domains as above. The file contains information on where the worm will download other files.

   7. Downloads the following files from a domain taken from the file winldr.ini:

          * /[REMOVED]/lett.htm
          * /[REMOVED]/s.txt
          * /[REMOVED]/f.txt

            Note: These files contain the subject, sender and body of the emails that the worm will send.

   8. Collects email addresses from files with the following extensions, on all fixed drives:

          * .wab
          * .txt
          * .msg
          * .htm
          * .shtm
          * .stm
          * .xml
          * .dbx
          * .mbx
          * .mdx
          * .eml
          * .nch
          * .mmf
          * .ods
          * .cfg
          * .asp
          * .php
          * .pl
          * .wsh
          * .adb
          * .tbb
          * .sht
          * .xls
          * .oft
          * .uin
          * .cgi
          * .mht
          * .dhtm
          * .jsp

   9. Avoids sending emails to email addresses containing the following strings:

          * @hotmail
          * @msn
          * @microsoft
          * rating@
          * f-secur
          * news
          * update
          * anyone@
          * bugs@
          * contract@
          * feste
          * gold-certs@
          * help@
          * info@
          * nobody@
          * noone@
          * kasp
          * admin
          * crosoft
          * @messagelab
          * root@
          * abuse
          * panda
          * linux
          * unix
          * spam
          * antispam
          * gov

  10. Sends a copy of itself to all of the email addresses gathered. The sender, subject and body of the email is taken from the following files downloaded earlier:

          * lett.htm
          * s.txt
          * f.txt

            Attachment: Rechnung.pdf.exe

  11. Searches for files with the .exe extension in the shared folders of the following file-sharing programs:

          * KAZAA
          * Morpheus
          * iMesh
          * eDonkey2000
          * LimeWire

  12. Attempts to replace any files found with a file that it creates by joining the target file with a copy of the worm. This routine of the worm appears to contain bugs, and may not run properly.

  13. Creates the harmless file %System%\dllsys.dll.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/w32.magflag.a@mm.html


To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

   5. In the right pane, delete the value:

      "Shell" = "Explorer.exe winldr.exe"

   6. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
      StandardProfile\AuthorizedApplications\List

   7. In the right pane, reset the value to the original value if applicable:

      "%System%\svchost.exe" = "%System%\svchost.exe:*:Enabled:svchost"

   8. Exit the Registry Editor.