Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Arduk.G
Date discovered:13/12/2012
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:13.312 Bytes
MD5 checksum:383a48fe9d8e8d8ba3240756d686c696
VDF version:7.11.53.216

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32.Adurk@mm
   •  Mcafee: W32/Ardurk.gen@MM
   •  Kaspersky: Email-Worm.Win32.Ardurk.g
   •  TrendMicro: WORM_ADURK.A
   •  Sophos: W32/Ardurk-G
   •  VirusBuster: I-Worm.Ardurk.G


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Uses its own Email engine
   • Registry modification
   • Third party control


Right after execution the following information is displayed:


 Files It copies itself to the following location:
   • %SYSDIR%\%executed file%.exe



It drops a copy of itself using a filename from a list:
Using one of the following names:
   • %every *.htm file% .exe




A section is added to a file.
– To: %every *.htm file% .exe With the following contents:
   • <OBJECT type="application/x-oleobject"CLASSID="%generated CLSID%"></OBJECT><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Namesd"="%executed file%.exe"



The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\%executed file%.exe]
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "DisplayName"="%executed file%.exe"
   • "ObjectName"="LocalSystem"
   • "ImagePath"="%SYSDIR%\%executed file%.exe "

– [HKLM\SYSTEM\CurrentControlSet\Services\%executed file%.exe\
   Enum]
   • "0"="Root\\LEGACY_%executed file%.EXE\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\%executed file%.exe\
   Security]
   • Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
      00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
      00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
      05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
      20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
      00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
      00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00



The following registry keys are added:

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%executed file%.EXE]
   • "NextInstance"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%executed file%.EXE\0000]
   • "Service"="%executed file%.exe"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="%executed file%.exe"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%executed file%.EXE\0000\Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="%executed file%.exe"

– HKCR\CLSID\{%generated CLSID%}\LocalServer32]
   • @="%malware execution directory%\\%executed file%.exe"

– [HKCR\CLSID\{%generated CLSID%}]
   • @="%every *.htm file% .exe"

– [HKCR\CLSID\{%generated CLSID%}\LocalServer32]
   • @="%malware execution directory%\\%every *.htm file% .exe"



The following registry keys are changed:

– [HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent]
   Old value:
   • @=dword:0000000a
   New value:
   • @=dword:0000000d

– [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares]
   Old value:
   • "C"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,3d,00,30,00,00,00,\
      4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,00,39,00,34,00,39,\
      00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,68,00,3d,00,43,00,\
      3a,00,5c,00,00,00,50,00,65,00,72,00,6d,00,69,00,73,00,73,00,69,00,6f,00,6e,\
      00,73,00,3d,00,30,00,00,00,52,00,65,00,6d,00,61,00,72,00,6b,00,3d,00,00,00,\
      54,00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00
   New value:
   • "C"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,3d,00,30,00,00,00,\
      4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,00,39,00,34,00,39,\
      00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,68,00,3d,00,43,00,\
      3a,00,5c,00,00,00,50,00,65,00,72,00,6d,00,69,00,73,00,73,00,69,00,6f,00,6e,\
      00,73,00,3d,00,30,00,00,00,52,00,65,00,6d,00,61,00,72,00,6b,00,3d,00,00,00,\
      54,00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00
     "d"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,3d,00,30,00,00,00,\
      4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,00,39,00,34,00,39,\
      00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,68,00,3d,00,64,00,\
      3a,00,5c,00,00,00,50,00,65,00,72,00,6d,00,69,00,73,00,73,00,69,00,6f,00,6e,\
      00,73,00,3d,00,30,00,00,00,52,00,65,00,6d,00,61,00,72,00,6b,00,3d,00,64,00,\
      00,00,54,00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00
     "e"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,3d,00,30,00,00,00,\
      4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,00,39,00,34,00,39,\
      00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,68,00,3d,00,65,00,\
      3a,00,5c,00,00,00,50,00,65,00,72,00,6d,00,69,00,73,00,73,00,69,00,6f,00,6e,\
      00,73,00,3d,00,30,00,00,00,52,00,65,00,6d,00,61,00,72,00,6b,00,3d,00,65,00,\
      00,00,54,00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.


Subject:
The following:
   • CARTOON %three-digit random character string%



Body:
– Contains HTML code.
– Contains a link to other malware.

 
The body of the email is the following:

   • CARTOON %three-digit random character string%
     The
     1 Site for: Cartoons, Hentai & Anime HORNY LITTLE TOONS
     EXCLUSIVE HENTAI CONTENT
     EROTIC ANIME MOVIES
     NEVER SEEN BEFORE CARTOON SLUTS
     JAPANESE MANGA TOONS
     
     ENTER CARTOON %three-digit random character string% HERE!!
     
     To unsubscribe click here "http://**********.net/remove/remove.php"
     


Attachment:
The filename of the attachment is constructed out of the following:

–  It starts with one of the following:
   • CARTOON_

Continued by one of the following:
   • %three-digit random character string%

    The file extension is one of the following:
   • .exe



Here are a few examples of how the filename of the attachment might look like:
   • CARTOON_222.exe
   • CARTOON_021.exe



The email looks like the following:


 Mailing Search addresses:
It searches the following file for email addresses:
   • HTM

 Miscellaneous Mutex:
It creates the following Mutex:
   • _NextPart_%03d_%04X_%08.8lX.%08.8lX


Network shares:
The following network shares will be created:
   • C:\
   • D:\


Description inserted by Catalin Jora on Wednesday, August 3, 2005
Description updated by Catalin Jora on Friday, August 19, 2005

Back . . . .