Email-Worm:W32/Zhelatin.CQ

Classification

Category :

Malware

Type :

Email-Worm

Aliases :

Email-Worm.Win32.Zhelatin.cq

Summary

This type of worm is embedded in an email attachment, and spreads using the infected computer's emailing networks.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The Zhelatin.CQ worm started to spread very late on April 8th, 2007. The worm spreads in emails with war-related subjects as an attachment named "video.exe", "movie.exe", "click me.exe" and so on. The worm creates its own peer-to-peer network.

After the worm's file is started by a user, it drops a randomly named file into the same folder where it was started from and runs it. This file installs a rootkit and p2p (peer-to-peer) component into the Windows System folder. The file name is wincom32.sys.

Rootkit

The installed component has rootkit features: it hides its Registry keys and active process so that an anti-rootkit engine is needed to reveal them.

In addition, this component drops a text file named wincom32.ini into the Windows System folder. This file contains a list of clients for the worm's peer-to-peer network. The peer names and access ports are encoded. Here's an example of the file's contents:

  • [counter] Counter=0 [peers] 003964D3640550573F800125725481EF=5326859A123900 004982069E5DB75721B54CFF33A26170=5955FC93123900 00A1836AE91D076BC265F9735204714F=451AAE831EBF00

The dropped file also has a blacklist area, but it's empty at the moment.

Propagation

The worm decodes the clients' addresses and access ports and connects itself to the peer-to-peer network. A significant number of UDP connections can be observed when the worm is trying to connect to its p2p network.

While taking the above actions, the copy of the worm that remains in memory starts its spreading cycle. It creates a mutex named klllekkdkkd and scans files on local hard disk drives for victims' email addresses.

The worm ignores email addresses if they contain any of the following substrings:

  • .gov
  • .mil
  • microsoft

Then the worm starts to spread in emails. It sends messages with the following subjects to all harvested email addresses:

  • Iran Just Have Started World War III
  • Israel Just Have Started World War III
  • Missle Strike: The USA kills more then 1000 Iranian citizens
  • Missle Strike: The USA kills more then 10000 Iranian citizens
  • Missle Strike: The USA kills more then 20000 Iranian citizens
  • USA Declares War on Iran
  • USA Just Have Started World War III
  • USA Missle Strike: Iran War just have started

The subjects are war-related and alarming, a common social-engineering trick to draw recipients into executing the attachment. The worm always attaches itself to the emails that it sends out. The attachment names can be any of the following:

  • Click Here.exe
  • Click Me.exe
  • More.exe
  • Movie.exe
  • News.exe
  • Read Me.exe
  • Read More.exe
  • Video.exe

When a recipient of such email opens the attachment, his/her computer becomes infected and the worm continues its spreading cycle.

Payload

The worm kills processes if they have the following substrings in their names:

  • anti
  • avg
  • avp
  • blackice
  • firewall
  • f-pro
  • hijack
  • lockdown
  • mcafee
  • msconfig
  • nav
  • nod32
  • rav
  • reged
  • spybot
  • taskmgr
  • troja
  • viru
  • vsmon
  • zonea

Registry Modifications

Creates these keys:

  • [HKLM\System\ControlSet001\Services\wincom32] @ = "%WinSysDir%\wincom32.sys"