Worm:W32/Todon.I

Worm:W32/Todon.I distributes itself by dropping a copy of its own malicious file (using the filename vgjeuyj.exe)onto specified drives and creates an autorun.inf file that points to it. These drives (D to Z) may include both removable drives and network drives.

While active on the computer, the worm terminates a number of processes and also attempts to download additional files from remote sites.

Installation

The malware creates the following copies of itself:

• %Program Files%\meex.exe
• %Program Files%\Common Files\Microsoft Shared\juyplqk.exe
• %Program Files%\Common Files\System\civoabs.exe

The malware creates the following autorun.inf files:

• %Program Files%\Common Files\Microsoft Shared\brgknyg.inf
• %Program Files%\Common Files\System\brgknyg.inf

Activity

The malware terminates a large number of processes if they have windows that contain the following text strings:

• ??
• ??
• ??
• ??
• ??
• ??
• ??
• ??
• ??
• ??
• ??
• ??
• ??
• ????
• ????
• ??
• QQ??
• ??
• ??
• ??
• ??
• ??
• ??
• ? ?
• 360??
• :\ - WinRAR
• QQ??
• ??
• System
• Microsoft Shared
• ??
• ??
• ??
• ????
• [26 spaces]2007
• ??
• Process
• Virus
• Trojan
• Sysinternals

Registry Changes

The malware creates the following registry entries:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runvgjeuyj = %Program Files%\Common Files\Microsoft Shared\juyplqk.exe"brgknyg = %Program Files%\Common Files\System\civoabs.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%executable%Debugger = %Program Files%\Common Files\Microsoft Shared\juyplqk.exe

Where %executable% is any of the following:

• Ras.exe
• avp.com
• avp.exe
• runiep.exe
• PFW.exe
• FYFireWall.exe
• rfwmain.exe
• rfwsrv.exe
• KAVPF.exe
• KPFW32.exe
• nod32kui.exe
• nod32.exe
• Navapsvc.exe
• Navapw32.exe
• avconsol.exe
• webscanx.exe
• NPFMntor.exe
• vsstat.exe
• KPfwSvc.exe
• RavTask.exe
• Rav.exe
• RavMon.exe
• mmsk.exe
• WoptiClean.exe
• QQKav.exe
• QQDoctor.exe
• EGHOST.exe
• 360Safe.exe
• iparmo.exe
• adam.exe
• IceSword.exe
• 360rpt.exe
• 360tray.exe
• AgentSvr.exe
• AppSvc32.exe
• autoruns.exe
• avgrssvc.exe
• AvMonitor.exe
• CCenter.exe
• ccSvcHst.exe
• FileDsty.exe
• FTCleanerShell.exe
• HijackThis.exe
• Iparmor.exe
• isPwdSvc.exe
• kabaload.exe
• KaScrScn.SCR
• KASMain.exe
• KASTask.exe
• KAV32.exe
• KAVDX.exe
• KAVPFW.exe
• KAVSetup.exe
• KAVStart.exe
• KISLnchr.exe
• KMailMon.exe
• KMFilter.exe
• KPFW32X.exe
• KPFWSvc.exe
• KRegEx.exe
• KRepair.com
• KsLoader.exe
• KVCenter.kxp
• KvDetect.exe
• KvfwMcl.exe
• KVMonXP.kxp
• KVMonXP_1.kxp
• kvol.exe
• kvolself.exe
• KvReport.kxp
• KVScan.kxp
• KVSrvXP.exe
• KVStub.kxp
• kvupload.exe
• kvwsc.exe
• KvXP.kxp
• KvXP_1.kxp
• KWatch.exe
• KWatch9x.exe
• KWatchX.exe
• loaddll.exe
• MagicSet.exe
• mcconsol.exe
• mmqczj.exe
• nod32krn.exe
• PFWLiveUpdate.exe
• QHSET.exe
• RavMonD.exe
• RavStub.exe
• RegClean.exe
• rfwcfg.exe
• RfwMain.exe
• RsAgent.exe
• Rsaupd.exe
• safelive.exe
• scan32.exe
• shcfg32.exe
• SmartUp.exe
• SREng.EXE
• symlcsvc.exe
• SysSafe.exe
• TrojanDetector.exe
• Trojanwall.exe
• TrojDie.kxp
• UIHost.exe
• UmxAgent.exe
• UmxAttachment.exe
• UmxCfg.exe
• UmxFwHlp.exe
• UmxPol.exe
• UpLive.exe
• upiea.exe
• AST.exe
• ArSwp.exe
• USBCleaner.exe
• rstrui.exe
• QQLiveUpdate.exe
• QQUpdateCenter.exe
• Timwp.exe

Downloads

The malware attempts to download files from the following locations:

• https://www.[removed]/TDown1.exe
• https://www.[removed]/ReadDown.txt