Virus:Worm/Locksky.K.6
Date discovered:12/12/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:30.373 Bytes
MD5 checksum:f5a61e5640b12c0F651d738c6bb5d484
VDF version:6.33.00.19

 General Method of propagation:
   • Email


Aliases:
   •  Kaspersky: Email-Worm.Win32.Locksky.k
   •  F-Secure: W32/Locksky.D
   •  VirusBuster: iworm I-Worm.Locksky.R
   •  Bitdefender: Win32.Locksky.F@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Drops files
   • Drops malicious files
   • Uses its own Email engine
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following locations:
   • %WINDIR%\sachostx.exe
   • %malware execution folder%\temp.bak



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %SYSDIR%\hard.lck

%SYSDIR%\attrib.ini This file contains collected keystrokes.
%SYSDIR%\msvcrl.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Locksky.K.Dll

%SYSDIR%\sachostb.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Locksky.K.2

%SYSDIR%\sachostp.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Locksky.K.3

%SYSDIR%\sachosts.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Locksky.K.4

%SYSDIR%\sachostw.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Locksky.K.5

%SYSDIR%\sachostc.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Locksky.B.3

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "HostSrv" = "%WINDIR%\sachostx.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is the user's Outlook account.
The sender of the email is the following:
   • %recipient's domain%


To:
The recipient of the email is the following:
   • %email application account%


Body:
– Contains HTML code.
The body of the email is the following:

   • We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
The filename of the attachment is:
   • acc_info1.exe

The attachment is a copy of the malware itself.



The email looks like the following:


 Backdoor The following ports are opened:

%SYSDIR%\sachostb.exe on TCP port 321 in order to provide backdoor capabilities.
%SYSDIR%\sachostc.exe on a random TCP port in order to provide a proxy server.
%SYSDIR%\sachosts.exe on a random TCP port in order to provide a Socks 4 proxy server.


Contact server:
The following:
   • http://pro**********.ws/index.php

As a result it may send some information. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • IP address
    • Current malware status
    • Opened port


Remote control capabilities:
    • Abort connection
    • Change directory
    • Copy file
    • Delete file
    • Directory listing
    • Display a message
    • Download file
    • Execute file
    • Move file

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Daniel Constantin on Monday, December 19, 2005
Description updated by Daniel Constantin on Tuesday, January 3, 2006

Back . . . .