Virus:Worm/Rindu.D
Date discovered:28/08/2007
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium to high
Static file:Yes
File size:107.008 Bytes
MD5 checksum:85eeb3645837f31308f44f9746c9bc82
VDF version:6.39.01.79
IVDF version:6.39.01.082

 General Methods of propagation:
   • Local network
   • Mapped network drives


Aliases:
   •  Mcafee: W32/Ridnu.d
   •  Panda: W32/Ridnu.F.drp


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\logonui.scr
   • %SYSDIR%\MyComp.scr
   • %SYSDIR%\userinit.exe
   • %SYSDIR%\sndvol32.exe
   • %SYSDIR%\calc.exe
   • %SYSDIR%\notepad.exe
   • %SYSDIR%\mspaint.exe
   • C:\MSOCache\dlcache\Lagu.scr
   • C:\MSOCache\dlcache\Gambar.scr
   • C:\MSOCache\dlcache\Film.scr
   • C:\MSOCache\dlcache\Dokumen Penting.scr
   • %PROGRAM FILES%\outlook express.scr
   • %PROGRAM FILES%\winamp.scr
   • %PROGRAM FILES%\Windows Media Player.scr
   • %PROGRAM FILES%\Windows NT\dialer.exe
   • %PROGRAM FILES%\Internet Explorer\IEXPLORE.EXE



It creates the following directory:
   • C:\MSOCache\dlcache\



Sections are added to the following files.
– To: %SYSDIR%\dllcache\userinit.exe With the following contents:
   • %executed file%

– To: %SYSDIR%\dllcache\sndvol32.exe With the following contents:
   • %executed file%

– To: %SYSDIR%\dllcache\calc.exe With the following contents:
   • %executed file%

– To: %SYSDIR%\dllcache\notepad.exe With the following contents:
   • %executed file%

– To: %SYSDIR%\dllcache\mspaint.exe With the following contents:
   • %executed file%

– To: %SYSDIR%\dllcache\iexplore.exe With the following contents:
   • %executed file%




It overwrites a file.
%PROGRAM FILES%

File extension:
   • *.exe

With the following contents:
   • %executed file%




It copies the following files:
    •  %SYSDIR%\userinit.exe into %SYSDIR%\dllcache\userinit.exe
    •  %SYSDIR%\sndvol32.exe into %SYSDIR%\dllcache\sndvol32.exe
    •  %SYSDIR%\calc.exe into %SYSDIR%\dllcache\calc.exe
    •  %SYSDIR%\notepad.exe into %SYSDIR%\dllcache\notepad.exe
    •  %SYSDIR%\mspaint.exe into %SYSDIR%\dllcache\mspaint.exe
    •  %PROGRAM FILES%\Internet Explorer\iexplore.exe into %SYSDIR%\dllcache\iexplore.exe



The following file is created:

%WINDIR%\media\suara.mp3

 Registry The following registry keys are changed:

Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   Old value:
   • "RegPath"="%user defined settings%"
   New value:
   • "RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedDeulleDo-X"

Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   Old value:
   • "UncheckedValue"=%user defined settings%
   New value:
   • "UncheckedValue"=dword:00000000

Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\ShowFullPathAddress]
   Old value:
   • "UncheckedValue"=%user defined settings%
   New value:
   • "UncheckedValue"=dword:00000001

Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\HideFileExt]
   Old value:
   • "UncheckedValue"=%user defined settings%
   New value:
   • "UncheckedValue"=dword:00000001

Disable Regedit and Task Manager:
– [HKCU\Software\Policies\Microsoft\Windows\System]
   Old value:
   • "DisableCMD"=%user defined settings%
   New value:
   • "DisableCMD"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   CabinetState]
   Old value:
   • "FullPathAddress"=%user defined settings%
   New value:
   • "FullPathAddress"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="%user defined settings%"
   New value:
   • "Shell"="Explorer.exe, MyComp.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Old value:
   • "DisableTaskMgr"="%user defined settings%"
     "DisableRegistryTools"=%user defined settings%
   New value:
   • "DisableTaskMgr"="1"
     "DisableRegistryTools"=dword:00000001

– [HKLM\SOFTWARE\Classes\scrfile]
   Old value:
   • @=""="%user defined settings%"
     "NeverShowExt"=%user defined settings%
   New value:
   • @="File Folder"
     "NeverShowExt"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Old value:
   • "NoFolderOptions"=%user defined settings%
     "NoFind"=%user defined settings%
     "NoRun"=%user defined settings%
   New value:
   • "NoFolderOptions"=dword:00000001
     "NoFind"=dword:00000001
     "NoRun"=dword:00000001
     

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "ShowSuperHidden"=%user defined settings%
     "HideFileExt"=%user defined settings%
   New value:
   • "ShowSuperHidden"=dword:00000000
     "HideFileExt"=dword:00000001

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • IPC$\
   • Data.C$\
   • Data.D$\
   • Data.E$\
   • Data.F$\
   • Data.G$\
   • Data.H$\
   • imorxr$\Lagu.scr
   • imorxr$\Gambar.scr
   • imorxr$\Film.scr
   • imorxr$\Dokumen Penting.scr

 Process termination Processes containing one of the following window titles are terminated:
   • ANTI; TROJAN; SUPPORT; MASTER; WORM; VIRUS; HACK; CRACK; LINUX; AVG;
      GRISOFT; CILLIN; SECURITY; LOCK; ASSOCIAT; SETUP; VAKSIN; UPDATE;
      TEST; XXX; HIDDEN; DEMO; SYSTEM32; AFEE; NORTON; RONTOK; PCMAV; W32;
      BLACK; MACRO; deulledo; TREND; SPERSKY; REGISTRY; COMMAND; KILL;
      NORMAN; FILM; PORNO; SVQj; PROCEXPL


 Miscellaneous Network shares:
The following network shares will be created:
   • imorxr$\
   • Data.C$\
   • Data.D$\
   • Data.E$\
   • Data.F$\
   • Data.G$\
   • Data.H$\


 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Monica Ghitun on Monday, September 3, 2007
Description updated by Monica Ghitun on Wednesday, September 5, 2007

Back . . . .