Home > Threat descriptions >

Worm:W32/Ippedo

Classification

Category: Malware

Type: Worm

Aliases: Worm:W32/Ippedo.A

Summary


The detection Worm:W32/Ippedo identifies the malicious shortcut (.LNK) files used by the Ippedo worm to lure users into unwittingly launching its malicious code. Once active on a machine, the worm can be directed by a remote attacker to perform various malicious actions, including performing ad-clicking, downloading additional files onto the machine, stealing information from it, restarting or shutting down the system and so on.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Worm:W32/Ippedo spreads through infected removable drives. When a removable drive is inserted into a machine and the worm's malicious file is launched, it installs multiple files to the C:\Google and C:\Skypee folders. The added files include a copy of the worm's main executable file. Ippedo also deletes the legitimate googleupdate.vbs file.

Malicious LNK files

The shortcut (.LNK) files installed by the worm are linked to a executable program, an executable Autoit script launcher and an Autoit script which deploys a backdoor on the affected machine. Click on any of the disguised LNK files launches the associated malicious program, launcher or script, which can perform a number of malicious actions, including:

  • Contacting a remote server
  • Looking for and sending the following system to a remote location:
    • Operating system version
    • Installed antivirus program
    • Computer and user names
    • Geographical location
  • Executing commands from a remote attacker, including:
      Downloading and executing additional malicious files
  • Performing ad-clicking
  • Restarting and shutting down the computer
  • Updating the worm

And so on.

When it is launched, Ippedo's malicious executables first check to see if it is running in a virtual environment or if the machine includes files or processes that indicate it is used for malware analysis; if so, it will terminate itself.

Adds files

The worm adds .LNK shortcut files (the component identified by the Worm:W32/Ippedo detection) to the Startup folder and any connected removable drives, so that the worm copy is automatically executed each time the system starts or a user unsuspectingly clicks the shortcut. The links are deceptively named to appear legitimate, but all point to the worm's main file.

  • In C:\Google\Skypee:
    • Autoit.exe
    • Googleupdate.a3x
    • Skypee.lnk or Google.lnk
      Target path: C:\Windows\system32\cmd.exe /c start ..\Skypee\AutoIt3.exe /AutoIt3ExecuteScript ..\Skypee\googleupdate.a3x explorer "%CD%" & exit
  • In the Startup menu
    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AntiUsbWormUpdate.lnk
    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AntiWormUpdate.lnk
Registry modification

It also modifies the registry so that its copy is run each time Windows is started, and adds the following registry keys:

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "AntiWormUpdate"="C:\\Google\\AutoIt3.exe /AutoIt3ExecuteScript C:\\Google\\googleupdate.a3x"
    "AntiUsbWorm"="C:\\Windows\\system32\\cmd.exe /c start C:\\Google\\AutoIt3.exe /AutoIt3ExecuteScript C:\\Google\\googleupdate.a3x & exit"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "AntiWormUpdate"="C:\\Google\\AutoIt3.exe /AutoIt3ExecuteScript C:\\Google\\googleupdate.a3x"
    "AntiUsbWorm"="C:\\Windows\\system32\\cmd.exe /c start C:\\Google\\AutoIt3.exe /AutoIt3ExecuteScript C:\\Google\\googleupdate.a3x & exit"c