Full description

Virus:	Worm/Wigon.AB
Date discovered:	15/08/2007
Type:	Worm
In the wild:	Yes
Reported Infections:	Low to medium
Distribution Potential:	Low to medium
Damage Potential:	Low
Static file:	Yes
File size:	20.992 Bytes
MD5 checksum:	570C666DCD49D81FEB036C14A3DC99BD
VDF version:	6.39.1.5
IVDF version:	6.39.1.5

General Method of propagation:
   • Email

Aliases:
   • Kaspersky: Trojan-Downloader.Win32.Agent.brk
   • F-Secure: Trojan-Downloader.Win32.Agent.brk
   • Eset: a variant of Win32/TrojanDownloader.Agent.BRK

Non working variants may be identified as:
   • Worm/Wigon.AB

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Uses its own Email engine

Files It creates the following directory:
• %WINDIR%\temp

It overwrites a file.
– %SYSDIR%\drivers\ip6fw.sys

The following files are created:

– %SYSDIR%\drivers\runtime2.sys Further investigation pointed out that this file is malware, too. Detected as: RKIT/Posh.A

– %TEMPDIR%\startdrv.exe Further investigation pointed out that this file is malware, too. Detected as: Worm/Wigon.A

It tries to download a file:

– The location is the following:
• http://66.246.252.215/**********
It is saved on the local hard drive under: %TEMPDIR%\%several random digits%8.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Wigon.AB

Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • startdrv"=%TEMPDIR%\startdrv.exe"

The following registry keys are added:

– HKLM\SYSTEM\CurrentControlSet\Services\ip6fw\Enum
   • "0"="Root\\LEGACY_IP6FW\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IP6FW
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IP6FW\0000]
   • "Service"="ip6fw"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="IPv6 Windows Firewall Driver"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IP6FW\0000\Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="ip6fw"

Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

From:
The sender address is spoofed.
Gathered addresses from the internet. Please do not assume that it was the senders intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails that tell you that you are infected. This might also not be the case.
The sender of the email is one of the following:
   • "Abel Goldberg" <kyler.davey@bsbk.at>
   • "Adrian Hobbs" <giulio.davey@bios-kontrolle.at>
   • "Andrea Feldman" <rhodri.davenport@anet.dk>
   • "Angelo Wilkerson" <meurig.davey@casachine.com>
   • "Ariel Peck" <mitchell.davey@cbre-hededanmark.dk>
   • "Bradley Buckley" <rosalva.davenport@ansatzwerbung.at>
   • "Brent Reeder" <themba.davenport@atomic-hosting.net>
   • "Casey Langford" <philippa.davey@citymaeglerne.dk>
   • "Casey Meade" <michaela.davey@casamedica.at>
   • "Cecil Stapleton" <tulay.davenport@austria.org>
   • "Claudette Waters" <kanya.davey@braumann-haustechnik.at>
   • "Claudine Conway" <kianoush.davey@broby-el.dk>
   • "Dallas Doss" <thracius.davenport@attensam.at>
   • "Darnell Kramer" <jaroslawa.davey@bonvitalis.dk>
   • "Dewayne Meyers" <elidi.davey@beautyqueenmail.com>
   • "Dion Dillard" <eadburga.davey@bbs.wretch.cc>
   • "Edward Blanchard" <naveed.davey@centrumutveckling.se>
   • "Gwen Lynn" <yorick.davenport@babettes.at>
   • "Hazel French" <raffaello.davenport@amico.dk>
   • "Henry Mcintyre" <kalisha.davey@brandschutzplan.at>
   • "Hershel Timmons" <sherwood.davenport@aric.de>
   • "Ines Connolly" <pankrati.davey@chrysler-aalborg.dk>
   • "Jared Day" <siobhan.davenport@artacartoucherie.com>
   • "Joshua Wilkerson" <laetitia.davey@bsmc.bems.boeing.com>
   • "Kaitlin Henson" <ethelred.davey@bentflemming.dk>
   • "Katheryn Amos" <liudvikas.davey@busan.at>
   • "Kip Starks" <ramachander.davenport@ams-wien.at>
   • "Krystal Hand" <jacenty.davey@bogpost.dk>
   • "Lamont Calloway" <petera.davenport@alphanet.ch>
   • "Lenard Clark" <massoud.davey@cap-arverne-plongee.com>
   • "Louis Kane" <sylvianne.davenport@assembly.state.ny.us>
   • "Margaret Skinner" <marius.davey@cams.com>
   • "Michael Mcnamara" <joscelin.davey@boxgrove.surrey.sch.uk>
   • "Myra Crockett" <quintus.davenport@amd.co.at>
   • "Noe Sweeney" <hallie.davey@blackstuff.dk>
   • "Polly Proctor" <fikri.davey@betten-beck.de>
   • "Quinton Wu" <livvy.davey@busd.de>
   • "Randal Zamora" <merton.davey@carvan.at>
   • "Rena Russo" <deasun.davey@banyan.siemens.at>
   • "Rene May" <kenny.davey@brillenstube.at>
   • "Roderick Cornell" <maritza.davey@camrun.com>
   • "Rudy Kaufman" <lorcan.davey@butterfieldstandardbank.com>
   • "Russ Calvert" <sakina.davenport@apac.at>
   • "Sergio Bolden" <nikolaas.davey@ch.ibm.com>
   • "Sherman Crowe" <percival.davenport@alpha-solutions.dk>
   • "Sherry Proctor" <naoki.davey@cemagref.fr>
   • "Susana Short" <edvard.davey@bcremc.net>
   • "Tamika Buck" <raphael.davenport@amuro.net>
   • "Tanner Payne" <proserpine.davey@click21.com.br>
   • "Tanner Reece" <fionnbharr.davey@bexarconcrete.com>
   • "Trina Ortega" <stepanka.davenport@asd.us>
   • "Truman Silva" <deodat.davey@barriere.com>
   • "Twila Short" <niccolo.davey@cfi-extel.com>
   • "Victoria Bridges" <jaropelk.davey@bonus.com>
   • "Virgil Dahl" <masha.davey@cantv.net>
   • "Will Bowman" <esmaralda.davey@benischek.co.at>
   • "Wilson Dukes" <verity.davenport@av-astoria.at>
   • "Winifred Hairston" <prabodh.davey@classicpaintball.dk>
   • "Winston Earl" <roman.davenport@annefogel.dk>
   • "Abby William" <quintella.davey@clockworkorange.at>
   • "Abdul Dawkins" <quintus.davey@clos-st-gatien.fr>
   • "Abe Watson" <wilford.davenport@awd.at>
   • "Albert Dobson" <jacqueline.davey@boilesen.dk>
   • "Alberto Mcqueen" <pantheras.davey@chs-villach.at>
   • "Alejandra Haines" <jaslyn.davey@booja.at>
   • "Amelia Bernard" <siemen.davenport@aromawine.dk>
   • "Amie Dove" <desirae.davey@barwil.com>
   • "Andrea Guerra" <reinout.davenport@andmik.dk>
   • "Angelique Haas" <tolga.davenport@aufbauwerk.com>
   • "Ann Crump" <shantel.davenport@arcsmed.at>
   • "Anna Heath" <dorofey.davey@bayer-bau.at>
   • "Annie Porter" <hedvig.davey@blombergbahn.de>
   • "Belinda Wolff" <horst.davey@bmvvs.dk>
   • "Benita Hopkins" <timotei.davenport@auckland.ac.nz>
   • "Bennie Mcintyre" <shimon.davenport@ark-group.com>
   • "Beverly Snider" <dayaram.davey@banksys.be>
   • "Blanca Prince" <kader.davey@bramlands.com>
   • "Bradley Cummins" <eddie.davey@bcb.at>
   • "Bradly Kaiser" <girisha.davey@biomasseverband.at>
   • "Brady Dukes" <tommy.davenport@augartenhotel.at>
   • "Brenda Atwood" <kamil.davey@brasilia.net>
   • "Brent Johns" <hesekiel.davey@blumberg.at>
   • "Brice Brunson" <jouko.davey@bpaibk.at>
   • "Bridgett Henderson" <filipe.davey@bettercall.info>
   • "Britney Vincent" <pyotr.davenport@ambermedia.de>
   • "Bruno Simons" <giosue.davey@biology.queensu.ca>
   • "Buford Bonds" <myrtie.davey@cedet.dk>
   • "Burton Lovett" <zakiah.davenport@bacou-dalloz.com>
   • "Camille Mayberry" <iliya.davey@bodycote.com>
   • "Carmen Bush" <melody.davey@carnoux-immobilier.com>
   • "Cathryn Best" <maritza.davey@camrun.com>
   • "Celina Herbert" <jackalyn.davey@bohc.com>
   • "Chance Whitman" <majid.davey@cafeer.dk>
   • "Charity Darling" <neptune.davey@cesr-basse-normandie.fr>
   • "Charlie Bonilla" <matej.davey@capacent.dk>
   • "Clara Meza" <elene.davey@beatboxbooking.dk>
   • "Claudia Fernandez" <evaline.davey@berger-maschinen.at>
   • "Claudio Frazier" <hylda.davey@bo-web.com>
   • "Coleman Souza" <honza.davey@bms-software.net>
   • "Connie Alexander" <neriah.davey@cet.at>
   • "Constance Kirby" <katheryne.davey@bremant.de>
   • "Craig Washburn" <radomil.davenport@amerlinggymnasium.at>
   • "Cristina Vincent" <jennica.davey@borks.dk>
   • "Damon Massey" <dorottya.davey@bayern.de>
   • "Dante Dougherty" <emile.davey@beisteiner.at>
   • "Darin Lancaster" <helka.davey@blucher.dk>
   • "Daryl Root" <janice.davey@bomi.roskilde.dk>
   • "Deann Harding" <estee.davey@bennob-style.at>
   • "Derick Wilder" <verity.davenport@av-astoria.at>
   • "Dion Gill" <pushpa.davey@clinic-job-dress.de>
   • "Dorothea Fleming" <tamhas.davenport@astroruf.com>
   • "Dwayne Snow" <larisa.davey@btamail.net.cn>
   • "Edith Burton" <philbert.davey@cityhalllofts.com>
   • "Eduardo Macdonald" <pierina.davenport@altenbergerhof.com>
   • "Edwardo Brunson" <satomi.davenport@appli.se>
   • "Efren Walden" <esmeralda.davey@benjamin.dk>
   • "Eli Finn" <gwynfor.davey@bkkommunikation.at>
   • "Elise Quinones" <flann.davey@bfg.at>
   • "Elnora Wagner" <jolan.davey@bourgogne-moto.com>
   • "Elsie Fischer" <hideaki.davey@blumenkybele.at>
   • "Erin Carlisle" <haytham.davey@bloedschaun.com>
   • "Ernestine Novak" <halvar.davey@blackwebportal.com>
   • "Ernie Dickey" <pauli.davey@ciif.com>
   • "Errol Kent" <ruchel.davenport@anwaelte.cc>
   • "Eugenia Snyder" <roosje.davenport@anonser.dk>
   • "Evangelina Nguyen" <vanya.davenport@autohaus-schnoor.de>
   • "Evangelina Perkins" <hubert.davey@bnc.ca>
   • "Forest Kinney" <gerda.davey@billigespil.dk>
   • "Frieda Guidry" <gregers.davey@bitpalast.de>
   • "Fritz Reeves" <jacinthe.davey@bogus.se>
   • "Gale Waters" <jaffar.davey@boku.at>
   • "Gavin Barry" <khwaja.davey@brobergconsulting.dk>
   • "Gayle Otto" <smadar.davenport@artindustrial.com>
   • "Gina Lundy" <tsetsiliya.davenport@austria-hotels.co.at>
   • "Glen Valencia" <natan.davey@centras.lt>
   • "Glenda Bartley" <taegan.davenport@assurnat.com>
   • "Glenn Matthews" <rotem.davenport@antik-oldtimer.de>
   • "Gregory Sosa" <jairus.davey@boligkeramik.dk>
   • "Gretchen Hodge" <hilde.davey@bm-fitness.dk>
   • "Gustavo Woodson" <odilia.davey@chello.be>
   • "Guy Morin" <gavril.davey@bigpond.com>
   • "Harry Dean" <sherley.davenport@arho.com.ua>
   • "Henrietta Rucker" <valerian.davenport@autofunk.com>
   • "Hunter Pickens" <halle.davey@blacksonblondes.com>
   • "Ilene Souza" <kaede.davey@brammingnet.dk>
   • "Israel Duarte" <leonas.davey@bugbrother.com>
   • "Jamal Ortega" <jimmy.davey@bossmail.de>
   • "Jamie Sykes" <konrad.davey@brslevkvv.dk>
   • "Jan Gamble" <sabella.davenport@aof-vejle.dk>
   • "Jayson Wiseman" <tianna.davenport@attorney.com>
   • "Jeff Steele" <jeannette.davey@borch.dk>
   • "Jeffery Steiner" <javor.davey@booksize-pc.de>
   • "Jenna Rodgers" <wilhelmine.davenport@awo-psychologie.com>
   • "Jim Perkins" <deandre.davey@banque-sba.com>
   • "Jo Reese" <philo.davey@citype.com>
   • "Joan Roper" <narcisse.davey@centea.be>
   • "Jody Holcomb" <samson.davenport@apk.molbio.ku.dk>
   • "John Hays" <malgorzata.davey@cais.com>
   • "Johnathan Christensen" <marshan.davey@candan.com>
   • "Johnie Bruno" <louella.davey@bvji.com>
   • "Joni Vera" <floor.davey@bfs.at>
   • "Josephine Woodward" <quang.davenport@ambrealestate-inc.com>
   • "Jules Ward" <dhaval.davey@basis.or.at>
   • "Juliet Maddox" <janet.davey@bom7.vsnl.net.in>
   • "Justine Gipson" <ingolf.davey@boerkop-blik.dk>
   • "Karla Robbins" <marilyn.davey@campingraadet.dk>
   • "Kate Carrillo" <polyxena.davenport@alum.dartmouth.org>
   • "Kent Albert" <drorit.davey@bbc-edv.at>
   • "Kermit Gunter" <hyman.davey@bo42.dk>
   • "Krystal Jensen" <nekoda.davey@cert.dfn.de>
   • "Lacy Boswell" <nestor.davey@cetya.com>
   • "Larry Davila" <orinda.davey@chinooksedge.ab.ca>
   • "Laurence Babb" <sunshine.davenport@askeroed.dk>
   • "Laverne Middleton" <jacki.davey@bohemedk.dk>
   • "Leanna Spears" <michelangelo.davey@casavisa.com>
   • "Leon Alexander" <mladen.davey@cbv.at>
   • "Les Stanley" <yadira.davenport@b-brass.at>
   • "Lora Connor" <marjani.davey@camtalent.com>
   • "Lorie Buckner" <honoratus.davey@bmpllp.com>
   • "Lorrie Herring" <orval.davey@chocofan.com>
   • "Luann Tapia" <marshan.davey@candan.com>
   • "Lucile Beck" <marcelle.davey@calskico.com>
   • "Lupe Terrell" <sanjit.davenport@aporter.com>
   • "Mable Cortez" <tegan.davenport@atelier-heiss.at>
   • "Mac Floyd" <nieves.davey@cgc.at>
   • "Mack Hutchins" <kamryn.davey@bratcher.com>
   • "Malcolm Nava" <varda.davenport@autohaus-uitz.at>
   • "Mari Rich" <percival.davenport@alpha-solutions.dk>
   • "Mariano Herring" <lucetta.davey@bwne.com>
   • "Marie Boucher" <orrin.davey@chk.at>
   • "Marty Earl" <lexie.davey@bumerang.ro>
   • "Maryanne Cortes" <sylvianne.davenport@assembly.state.ny.us>
   • "Melvin Goodwin" <jennica.davey@borks.dk>
   • "Merrill Gilbert" <khayriyya.davey@broadreachuk.com>
   • "Mickey Guthrie" <jacinth.davey@bogui.com>
   • "Misty Flowers" <tauno.davenport@atari.com>
   • "Moises Clemons" <zulfiqar.davenport@bajosintereses.com>
   • "Mollie Brooks" <wladyslawa.davenport@axis.com>
   • "Monica Davison" <vanessa.davenport@autohaus-krautter.de>
   • "Myrtle Gentry" <manolo.davey@call-us-assistance.com>
   • "Nadine Odom" <fermin.davey@betagroup.dk>
   • "Neal Monroe" <dionysus.davey@baudraxler.at>
   • "Noel Aragon" <jannicke.davey@bondpr.com>
   • "Olive Richards" <soini.davenport@artner.org>
   • "Oliver Adams" <giotto.davey@biology.sdu.dk>
   • "Otis Smith" <nasser.davey@centersalg.dk>
   • "Patrice Malone" <rurik.davenport@anwaltskanzlei-berger.at>
   • "Rachelle Garland" <svenja.davenport@asn.pl>
   • "Randal Yu" <leontius.davey@bujindesign.com>
   • "Richard Cook" <mihail.davey@caspianstudies.com>
   • "Roberta Bright" <pascaline.davey@ci.missoula.mt.us>
   • "Ronny Johns" <wilhelmine.davenport@awo-psychologie.com>
   • "Roosevelt Salgado" <praxis.davey@cleancarpet.dk>
   • "Rosario Daly" <tsukiko.davenport@austria-uganda.at>
   • "Roseann Browning" <tresnja.davenport@ausbildungsstelle.com>
   • "Rosemarie Poole" <tracey.davenport@aura-reading.at>
   • "Roy Shipley" <joseba.davey@boxing3gym.at>
   • "Rubin Webb" <nicolaas.davey@cfst.dk>
   • "Rupert Conrad" <varius.davenport@autohjaelp.dk>
   • "Russell Chacon" <talisha.davenport@astro-varme.dk>
   • "Sanford Nicholson" <roscoe.davenport@antarecs.org>
   • "Sarah Gipson" <nelly.davey@ces.at>
   • "Scotty Bartley" <thorstein.davenport@attacksoftware.com.ua>
   • "Sebastian Reeves" <horatio.davey@bmtapatent.com>
   • "Shane Tipton" <regulo.davenport@anderskronborg.dk>
   • "Shauna Prather" <xurxo.davenport@azurassistance.com>
   • "Sheila Coleman" <kaito.davey@brandcom.at>
   • "Shelia Haas" <martta.davey@cankayarehberi.com>
   • "Shirley Hedrick" <nikolao.davey@cha.kk.dk>
   • "Sofia Lutz" <varda.davenport@autohaus-uitz.at>
   • "Stefan Wilkinson" <hersilia.davey@blueyonder.co.uk>
   • "Stephan Wiseman" <jenifer.davey@borka.at>
   • "Susie Carroll" <daisuke.davey@balfumcimport.dk>
   • "Sylvester Carson" <tiago.davenport@attitude.com>
   • "Tad Melendez" <tamid.davenport@astrosfan.net>
   • "Tameka Richardson" <faramond.davey@bernhardseck.at>
   • "Tammy Sheehan" <jytte.davey@brakepower.dk>
   • "Tania Kaiser" <halldor.davey@blackroot.net>
   • "Tanisha Lockhart" <deonne.davey@barron-racing.com>
   • "Tara Golden" <malthe.davey@calbanktrust.com>
   • "Tara Wallace" <munashe.davey@cdfa.ca.gov>
   • "Terrie Denton" <yejide.davenport@b20.dk>
   • "Therese Sorensen" <melany.davey@carlsenloegten.dk>
   • "Tia Delarosa" <pauwel.davey@cima.com.my>
   • "Tomas Conner" <sophie.davenport@artus.dk>
   • "Tommie Nguyen" <treasure.davenport@aurora.anum.tuwien.ac.at>
   • "Traci Collier" <josephina.davey@boymanga.com>
   • "Trinidad Akins" <francis.davey@bgw.at>
   • "Tyson Thomson" <lionel.davey@burmees.nl>
   • "Van French" <pollux.davey@clan-tls.dk>
   • "Vicky Blackmon" <leonard.davey@buffyfan.dk>
   • "Vito Frost" <meade.davey@caribserve.net>
   • "Wade Arellano" <lijsbeth.davey@burde.at>
   • "Warren Bloom" <jaumet.davey@bookpro.co.za>
   • "Willie Vickers" <frederikke.davey@bhv.net>
   • "Young Calhoun" <gregg.davey@bitpaq.com>

To:
– Gathered addresses from the internet.

Subject:
One of the following:
   • Here is it
   • Hot game
   • Hot pictures
   • Something hot
   • You ask me about this game, Here is it

The body of the email is one of the following:

   • %replacement 1%, %replacement 2%!
     Funny game. %replacement 3% fucks %replacement 4%... In your attachemnt.



   • %replacement 1%, %replacement 2%!
     Amusing game. %replacement 3% fucks %replacement 4%... In your attachemnt.

Continued by one of the following:

   • Bye.

   • Best Regards.

   • Thanks.

   • Regards.

%replacement 1% is expanded to one of the following:
   • Hi
   • Good morning
   • Good afternoon
   • Good evening
   • Good Day
   • Hello
   • Helo

%replacement 2% is expanded to one of the following:
   • buddy
   • dear Friend
   • dear
   • friend
   • man
   • old chap

%replacement 3% is expanded to one of the following:
   • Angelina Jolie
   • Carrie Ann Moss
   • Lara Croft
   • Nicole Kidman

%replacement 4% is expanded to one of the following:
   • Dart Wader
   • Harry Potter
   • Luke Skywalker

Attachment:
The filename of the attachment is:
   • isit.zip

The attachment is an archive containing a copy of the malware itself.

Description inserted by Lutz Koch on Wednesday, August 15, 2007
Description updated by Lutz Koch on Wednesday, August 15, 2007

Back . . . .