F-Secure
Tools
Worm:W32/Agent.IPZ
Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Details
Registry Modifications
Sets these values:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
sun = 01 - HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
java = 03 - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\system32\jushed.exe = C:\WINDOWS\system32\jushed.exe:*:Enabled:Explorer
[Windows Firewall Disabled] - HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdater = C:\WINDOWS\system32\jushed.exe
[Launchpoint: Run] - HKU\S-1-5-21-299502267-823518204-839522115-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings
MigrateProxy = 6619252 - HKU\S-1-5-21-299502267-823518204-839522115-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable = 4522105 - HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable = 4522105 - HKU\S-1-5-21-299502267-823518204-839522115-1003
SavedLegacySettings = - HKCU\Software\Microsoft\Windows NT\CurrentVersion
øøø[...]=16253176 - HKCU\Software\Microsoft\Windows NT\CurrentVersion
(default) = H1UYEEMA[QRspr{gm8;Rfzz iqn - HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR = 6357107
[System Restore Disabled] - HKCU\Software\Microsoft\Windows\CurrentVersion\Run
QnX = C:\WINDOWS\system32\jqs.exe
[Launchpoint: Run] - HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}
StubPath = "C:\WINDOWS\system32\jqs.exe"
[Launchpoint: Active Setup] - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
QnX = C:\WINDOWS\system32\jqs.exe
[Launchpoint: Explorer]
Additional Details
There are two ways that this worm may arrive on a user's system: it may be delivered directly to the user in an infected e-mail attachment, or the user may unknowingly download it from an infected website host.
In the first method, the e-mails are sent out from other, infected machines. The worm's code is stored in a ZIP file attachment to the e-mail. Each e-mail will use one of these two sets of characteristics:
The worm may also be downloaded from an infected website host. If an infected machine is an IIS web server, the worm replaces the default index page at C:\Inetpub\wwwroot\index.htm with a page containing:
In both cases, running the extracted attachment or downloaded copy will launch the malware.
Execution
On execution, the worm will create a copy of itself.
It will also drop another malware file, detected as Trojan.Win32.Pakes.mmp.
It will then create registry entries so that the copy of the worm will run on system startup, as well as disabling the Windows Firewall.
Next, the worm contacts this site to determine the infected system's IP address.
Propagation
To propagate itself via infected e-mails, the worm harvests all e-mail addresses stored on the infected system and sends out messages to all the harvested addresses. Each e-mail contains the worm's code in an attachment, and the e-mail itself will use one of the same two sets characteristics (subject line, attachment name, etc) as the e-mail the worm arrived in.
For the worm to propagate via downloads from a Web server, the infected system must first have Microsoft IIS installed. If so, the worm will create a copy of itself in the following location:
It will also create or replace the following file:
This new index page relies on social engineering to persuade visitors to download the malware.
In the first method, the e-mails are sent out from other, infected machines. The worm's code is stored in a ZIP file attachment to the e-mail. Each e-mail will use one of these two sets of characteristics:
- Subject: "IKEA's New Planning Software"
Attachment: Ikea.zip - Subject: "You've received a Hallmark e-card!"
Attachment: Postcard.zip
The worm may also be downloaded from an infected website host. If an infected machine is an IIS web server, the worm replaces the default index page at C:\Inetpub\wwwroot\index.htm with a page containing:
- "Security warning"
- A link, misleadingly named "MS09-067.exe", which downloads a copy of the malware from the Web server onto the system.
In both cases, running the extracted attachment or downloaded copy will launch the malware.
Execution
On execution, the worm will create a copy of itself.
- %windir%\system32\jushed.exe
It will also drop another malware file, detected as Trojan.Win32.Pakes.mmp.
- %windir%\system32\jqs.exe
It will then create registry entries so that the copy of the worm will run on system startup, as well as disabling the Windows Firewall.
Next, the worm contacts this site to determine the infected system's IP address.
- http://whatismyip.com/
Propagation
To propagate itself via infected e-mails, the worm harvests all e-mail addresses stored on the infected system and sends out messages to all the harvested addresses. Each e-mail contains the worm's code in an attachment, and the e-mail itself will use one of the same two sets characteristics (subject line, attachment name, etc) as the e-mail the worm arrived in.
For the worm to propagate via downloads from a Web server, the infected system must first have Microsoft IIS installed. If so, the worm will create a copy of itself in the following location:
- C:\Inetpub\wwwroot\MS-09-067.exe
It will also create or replace the following file:
- C:\Inetpub\wwwroot\index.htm
This new index page relies on social engineering to persuade visitors to download the malware.