F-Secure
Tools
Worm:W32/Tater.C
| Name : | Worm:W32/Tater.C |
| Category: | Malware |
| Type: | Worm |
| Platform: | W32 |
Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Additional Details
Worm:W32/Tater.C typically arrives on the system via a drive-by download, or as part of the payload of another malware.
Once on the computer network, it can propagate to other nodes on the network via network shares and mapped drives. It also steals the user's credentials for online games.
Execution
On execution, the malware creates a copy of itself. It also drops a randomly-named DLL component in the %TEMP% Directory. Both these files will normally have Read-Only, Hidden and System attributes.
Next, the malware modifies the following Registry key to hide the Hidden/System Files in the Explorer window.
It also adds the following registry entry to ensure it is continually executed on startup, effectively allowing it to survive system reboots.
Propagation
To propagate, Tater.C drops a copy of itself to all accessible drives, together with a corresponding AUTORUN.INF file to enable the file's automatic execution.
Activity
The worm steals the online credentials for users of online games. To do so, it monitors the following known game processes:
Once on the computer network, it can propagate to other nodes on the network via network shares and mapped drives. It also steals the user's credentials for online games.
Execution
On execution, the malware creates a copy of itself. It also drops a randomly-named DLL component in the %TEMP% Directory. Both these files will normally have Read-Only, Hidden and System attributes.
Next, the malware modifies the following Registry key to hide the Hidden/System Files in the Explorer window.
• HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Advanced\Folder\Hidden\SHOWALL Checkedvalue = dword:00000000
It also adds the following registry entry to ensure it is continually executed on startup, effectively allowing it to survive system reboots.
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run [random] = [randomfilename]
Propagation
To propagate, Tater.C drops a copy of itself to all accessible drives, together with a corresponding AUTORUN.INF file to enable the file's automatic execution.
Activity
The worm steals the online credentials for users of online games. To do so, it monitors the following known game processes:
• coc.exe
• ragexe.exe
• pol.exe
• polcore.dll