Virus:Worm/Samony.B
Date discovered:24/10/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:23.044 Bytes
MD5 checksum:dcff911d09651ed6965ad01f1a7f51f0
VDF version:6.32.00.110

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32.Looksky.A@mm
   •  Mcafee: MultiDropper-OZ
   •  Kaspersky: Trojan-Dropper.Win32.Agent.yy
   •  TrendMicro: WORM_LOOKSKY.A
   •  Bitdefender: Trojan.Dropper.Agent.YY


Platforms / OS:
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Records keystrokes
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\sachostx.exe



The following files are created:

– Non malicious file:
   • %SYSDIR%\hard.lck

%SYSDIR%\attrib.ini This is a non malicious text file with the following content:
   • %stolen information%

%SYSDIR%\msvcrl.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Agent.hx

%SYSDIR%\sachostb.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/Agent.pg

%SYSDIR%\sachostc.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Samony.B.1

%SYSDIR%\sachostp.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Samony.B

%SYSDIR%\sachosts.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Samony.B.2

%SYSDIR%\sachostw.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Samony.B.3




It tries to download a file:

– The location is the following:
   • http://pro**********.ws:8080/update.htm
It is saved on the local hard drive under: %malware execution directory%\ver

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "HostSrv"="%WINDIR%\sachostx.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is the user's Outlook account.


To:
– Email addresses gathered from WAB (Windows Address Book)


Subject:
The following:
   • Skylook for Skype



Body:
– Contains HTML code.
The body of the email is the following:

   • Hello, You asked me to send you Skylook - here it is:
     
     With Skylook, you can get 1 hour of world-wide calls FREE!
     
     Skype? Voice Calls (as MP3), Instant Messages, Email, Appointments, Contacts all organized and under control in Microsoft? Outlook?!
     
     Halloween Special!
     
     Try it before October 31 and receive 1 hour of free world-wide calls (SkypeOut). Also You`ll get 40% off a business license or 30% off a home license.
     
     Use Skylook 1.0 to record Skype? VoIP Calls to MP3!
     
     Skylook attache


Attachment:
The filename of the attachment is:
   • skylook_1.exe

The attachment is a copy of the malware itself.



The email looks like the following:


 Backdoor The following ports are opened:

%SYSDIR%\sachosts.exe on a random TCP port in order to provide a proxy server.
%SYSDIR%\sachostc.exe on a random TCP port in order to provide a proxy server.


Contact server:
The following:
   • http://pro**********.ws/index.php

As a result it may send some information. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • IP address
    • Current malware status
    • Information about the network
    • Opened port

 Stealing It tries to steal the following information:

– It captures:
    • Keystrokes
    • Window information

 Injection –  It injects the following file into a process: %SYSDIR%\msvcrl.dll

    All of the following processes:
   • Explorer.exe
   • IEXPLORE.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Iulia Diaconescu on Tuesday, October 25, 2005
Description updated by Iulia Diaconescu on Friday, November 18, 2005

Back . . . .