F-Secure
Tools
Worm:W32/Todon.I
Summary
Worm:W32/Todon.I is a worm that spreads to new victim machines via infected removable and network drives. The worm also has trojan-downloader capabilities, as it attempts to download additional files from remote servers.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Worm:W32/Todon.I distributes itself by dropping a copy of its own malicious file (using the filename vgjeuyj.exe)onto specified drives and creates an autorun.inf file that points to it. These drives (D to Z) may include both removable drives and network drives.
While active on the computer, the worm terminates a number of processes and also attempts to download additional files from remote sites.
Installation
The malware creates the following copies of itself:
The malware creates the following autorun.inf files:
Activity
The malware terminates a large number of processes if they have windows that contain the following text strings:
Registry Changes
The malware creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
vgjeuyj = %Program Files%\Common Files\Microsoft Shared\juyplqk.exe"
brgknyg = %Program Files%\Common Files\System\civoabs.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%executable%
Debugger = %Program Files%\Common Files\Microsoft Shared\juyplqk.exe
Where %executable% is any of the following:
Downloads
The malware attempts to download files from the following locations:
While active on the computer, the worm terminates a number of processes and also attempts to download additional files from remote sites.
Installation
The malware creates the following copies of itself:
- %Program Files%\meex.exe
- %Program Files%\Common Files\Microsoft Shared\juyplqk.exe
- %Program Files%\Common Files\System\civoabs.exe
- %Program Files%\Common Files\Microsoft Shared\brgknyg.inf
- %Program Files%\Common Files\System\brgknyg.inf
Activity
The malware terminates a large number of processes if they have windows that contain the following text strings:
- ??
- ??
- ??
- ??
- ??
- ??
- ??
- ??
- ??
- ??
- ??
- ??
- ??
- ????
- ????
- ??
- QQ??
- ??
- ??
- ??
- ??
- ??
- ??
- ? ?
- 360??
- :\ - WinRAR
- QQ??
- ??
- System
- Microsoft Shared
- ??
- ??
- ??
- ????
- <26 spaces>2007
- ??
- Process
- Virus
- Trojan
- Sysinternals
Registry Changes
The malware creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
vgjeuyj = %Program Files%\Common Files\Microsoft Shared\juyplqk.exe"
brgknyg = %Program Files%\Common Files\System\civoabs.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%executable%
Debugger = %Program Files%\Common Files\Microsoft Shared\juyplqk.exe
Where %executable% is any of the following:
- Ras.exe
- avp.com
- avp.exe
- runiep.exe
- PFW.exe
- FYFireWall.exe
- rfwmain.exe
- rfwsrv.exe
- KAVPF.exe
- KPFW32.exe
- nod32kui.exe
- nod32.exe
- Navapsvc.exe
- Navapw32.exe
- avconsol.exe
- webscanx.exe
- NPFMntor.exe
- vsstat.exe
- KPfwSvc.exe
- RavTask.exe
- Rav.exe
- RavMon.exe
- mmsk.exe
- WoptiClean.exe
- QQKav.exe
- QQDoctor.exe
- EGHOST.exe
- 360Safe.exe
- iparmo.exe
- adam.exe
- IceSword.exe
- 360rpt.exe
- 360tray.exe
- AgentSvr.exe
- AppSvc32.exe
- autoruns.exe
- avgrssvc.exe
- AvMonitor.exe
- CCenter.exe
- ccSvcHst.exe
- FileDsty.exe
- FTCleanerShell.exe
- HijackThis.exe
- Iparmor.exe
- isPwdSvc.exe
- kabaload.exe
- KaScrScn.SCR
- KASMain.exe
- KASTask.exe
- KAV32.exe
- KAVDX.exe
- KAVPFW.exe
- KAVSetup.exe
- KAVStart.exe
- KISLnchr.exe
- KMailMon.exe
- KMFilter.exe
- KPFW32X.exe
- KPFWSvc.exe
- KRegEx.exe
- KRepair.com
- KsLoader.exe
- KVCenter.kxp
- KvDetect.exe
- KvfwMcl.exe
- KVMonXP.kxp
- KVMonXP_1.kxp
- kvol.exe
- kvolself.exe
- KvReport.kxp
- KVScan.kxp
- KVSrvXP.exe
- KVStub.kxp
- kvupload.exe
- kvwsc.exe
- KvXP.kxp
- KvXP_1.kxp
- KWatch.exe
- KWatch9x.exe
- KWatchX.exe
- loaddll.exe
- MagicSet.exe
- mcconsol.exe
- mmqczj.exe
- nod32krn.exe
- PFWLiveUpdate.exe
- QHSET.exe
- RavMonD.exe
- RavStub.exe
- RegClean.exe
- rfwcfg.exe
- RfwMain.exe
- RsAgent.exe
- Rsaupd.exe
- safelive.exe
- scan32.exe
- shcfg32.exe
- SmartUp.exe
- SREng.EXE
- symlcsvc.exe
- SysSafe.exe
- TrojanDetector.exe
- Trojanwall.exe
- TrojDie.kxp
- UIHost.exe
- UmxAgent.exe
- UmxAttachment.exe
- UmxCfg.exe
- UmxFwHlp.exe
- UmxPol.exe
- UpLive.exe
- upiea.exe
- AST.exe
- ArSwp.exe
- USBCleaner.exe
- rstrui.exe
- QQLiveUpdate.exe
- QQUpdateCenter.exe
- Timwp.exe
Downloads
The malware attempts to download files from the following locations:
- http://www.[removed]/TDown1.exe
- http://www.[removed]/ReadDown.txt