Worm:W32/Tyhos spreads via infected removable drives; once present on a machine, it checks the system for any connected removable drives every 10555 milliseconds. If found, it copies itself to the removable drive.
The worm file itself is packed using the F[ast] S[mall] G[ood] packer.
The details below are based on analysis of the following sample: SHA1: 21ae5cf02ba792d902efb7cbc9a115769c878337.
On execution, the worm creates copies of itself in the following locations:
- %System%\[random number]\avgupdate.exe
- %System%\[random number]\isass.exe
The copied files have their properties set to hidden. The worm also adds registry keys for both files, so that they run automatically whenever the system is started:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avpupdt = "%System%\[Random_Numbers]\avgupdt.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon = "%System%\[Random_Numbers]\lsass.exe"
It also drops an HTML page to:
And creates the following mutexes:
- ----[ GHOSTY.NET ]----
Once the files are dropped, the isass.exe file is launched by shellexecute and checks whether a file named ghosty.d is present in the SystemRoot folder. It also opens the dropped index.html file:
index.html file displayed by Worm:W32/Tyhos