Full description

Virus:	Worm/Arduk.G
Date discovered:	15/07/2005
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Low to medium
Static file:	Yes
File size:	13.312 Bytes
MD5 checksum:	383a48fe9d8e8d8ba3240756d686c696
VDF version:	6.25.0.18

General Method of propagation:
   • Email

Aliases:
   • Symantec: W32.Adurk@mm
   • Mcafee: W32/Ardurk.gen@MM
   • Kaspersky: Email-Worm.Win32.Ardurk.g
   • TrendMicro: WORM_ADURK.A
   • Sophos: W32/Ardurk-G
   • VirusBuster: I-Worm.Ardurk.G

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Uses its own Email engine
   • Registry modification
   • Third party control

Right after execution the following information is displayed:

Files It copies itself to the following location:
   • %SYSDIR%\%executed file%.exe

It drops a copy of itself using a filename from a list:
Using one of the following names:
   • %every *.htm file% .exe

A section is added to a file.
– To: %every *.htm file% .exe With the following contents:
   • <OBJECT type="application/x-oleobject"CLASSID="%generated CLSID%"></OBJECT><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Namesd"="%executed file%.exe"

The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\%executed file%.exe]
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "DisplayName"="%executed file%.exe"
   • "ObjectName"="LocalSystem"
   • "ImagePath"="%SYSDIR%\%executed file%.exe "

– [HKLM\SYSTEM\CurrentControlSet\Services\%executed file%.exe\
   Enum]
   • "0"="Root\\LEGACY_%executed file%.EXE\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\%executed file%.exe\
   Security]
   • Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
      00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
      00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
      05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
      20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
      00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
      00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

The following registry keys are added:

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%executed file%.EXE]
   • "NextInstance"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%executed file%.EXE\0000]
   • "Service"="%executed file%.exe"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="%executed file%.exe"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%executed file%.EXE\0000\Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="%executed file%.exe"

– HKCR\CLSID\{%generated CLSID%}\LocalServer32]
   • @="%malware execution directory%\\%executed file%.exe"

– [HKCR\CLSID\{%generated CLSID%}]
   • @="%every *.htm file% .exe"

– [HKCR\CLSID\{%generated CLSID%}\LocalServer32]
   • @="%malware execution directory%\\%every *.htm file% .exe"

The following registry keys are changed:

– [HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent]
   Old value:
   • @=dword:0000000a
   New value:
   • @=dword:0000000d

– [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares]
   Old value:
   • "C"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,3d,00,30,00,00,00,\
      4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,00,39,00,34,00,39,\
      00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,68,00,3d,00,43,00,\
      3a,00,5c,00,00,00,50,00,65,00,72,00,6d,00,69,00,73,00,73,00,69,00,6f,00,6e,\
      00,73,00,3d,00,30,00,00,00,52,00,65,00,6d,00,61,00,72,00,6b,00,3d,00,00,00,\
      54,00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00
   New value:
   • "C"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,3d,00,30,00,00,00,\
      4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,00,39,00,34,00,39,\
      00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,68,00,3d,00,43,00,\
      3a,00,5c,00,00,00,50,00,65,00,72,00,6d,00,69,00,73,00,73,00,69,00,6f,00,6e,\
      00,73,00,3d,00,30,00,00,00,52,00,65,00,6d,00,61,00,72,00,6b,00,3d,00,00,00,\
      54,00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00
     "d"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,3d,00,30,00,00,00,\
      4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,00,39,00,34,00,39,\
      00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,68,00,3d,00,64,00,\
      3a,00,5c,00,00,00,50,00,65,00,72,00,6d,00,69,00,73,00,73,00,69,00,6f,00,6e,\
      00,73,00,3d,00,30,00,00,00,52,00,65,00,6d,00,61,00,72,00,6b,00,3d,00,64,00,\
      00,00,54,00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00
     "e"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,3d,00,30,00,00,00,\
      4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,00,39,00,34,00,39,\
      00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,68,00,3d,00,65,00,\
      3a,00,5c,00,00,00,50,00,65,00,72,00,6d,00,69,00,73,00,73,00,69,00,6f,00,6e,\
      00,73,00,3d,00,30,00,00,00,52,00,65,00,6d,00,61,00,72,00,6b,00,3d,00,65,00,\
      00,00,54,00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00

Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

From:
The sender address is spoofed.

To:
– Email addresses found in specific files on the system.

Subject:
The following:
   • CARTOON %three-digit random character string%

Body:
– Contains HTML code.
– Contains a link to other malware.

The body of the email is the following:

   • CARTOON %three-digit random character string%
     The
     1 Site for: Cartoons, Hentai & Anime HORNY LITTLE TOONS
     EXCLUSIVE HENTAI CONTENT
     EROTIC ANIME MOVIES
     NEVER SEEN BEFORE CARTOON SLUTS
     JAPANESE MANGA TOONS

     ENTER CARTOON %three-digit random character string% HERE!!

     To unsubscribe click here "http://**********.net/remove/remove.php"


Attachment:
The filename of the attachment is constructed out of the following:

– It starts with one of the following:
   • CARTOON_

Continued by one of the following:
   • %three-digit random character string%

    The file extension is one of the following:
   • .exe

Here are a few examples of how the filename of the attachment might look like:
   • CARTOON_222.exe
   • CARTOON_021.exe

The email looks like the following:

Mailing Search addresses:
It searches the following file for email addresses:
• HTM

Miscellaneous Mutex:
It creates the following Mutex:
   • _NextPart_%03d_%04X_%08.8lX.%08.8lX

Network shares:
The following network shares will be created:
   • C:\
   • D:\

Description inserted by Catalin Jora on Wednesday, August 3, 2005
Description updated by Catalin Jora on Friday, August 19, 2005

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools