Virus:Worm/Traxgy.B
Date discovered:30/08/2005
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Low to medium
Static file:No
File size:57.344 Bytes
IVDF version:6.31.01.196 - Tuesday, August 30, 2005

 General Methods of propagation:
   • Email
   • Local network
   • Mapped network drives


Aliases:
   •  Kaspersky: Email-Worm.Win32.Rays
   •  F-Secure: Email-Worm.Win32.Rays
   •  Sophos: W32/Traxg-B
   •  Panda: W32/Vinet.A.worm
   •  Grisoft: I-Worm/Rays.E
   •  Bitdefender: Win32.Rays.H@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • A:\Explorer.EXE
   • A:\WINDOWS.EXE
   • %drive%:\WINDOWS.EXE
   • %drive%:\ghost.bat
   • %all directories%\%current directory name%.exe



It drops a copy of itself using a filename from a list:
– To: %WINDIR%\\system\ Using one of the following names:
   • %hex number%.com

– To: %WINDIR%\fonts\ Using one of the following names:
   • %hex number%.com

– To: %WINDIR%\\temp\ Using one of the following names:
   • %hex number%.com

– To: %WINDIR%\help\ Using one of the following names:
   • \%hex number%.com




The following files are created:

– Non malicious file:
   • %all directories%\desktop.ini

– A:\NetHood.htm Further investigation pointed out that this file is malware, too. Detected as: VBS/Zapchast.B

%drive%:\NetHood.htm Further investigation pointed out that this file is malware, too. Detected as: VBS/Zapchast.B

%all directories%\folder.htt Further investigation pointed out that this file is malware, too. Detected as: VBS/Zapchast.B

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • TempCom = %WINDIR%\\system\%hex number%.com
   • TempCom = %WINDIR%\fonts\%hex number%.com
   • TempCom = %WINDIR%\\temp\%hex number%.com
   • TempCom = %WINDIR%\help\%hex number%.com



The value of the following registry key is removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • KaV300XP



The following registry keys are changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   CabinetState]
   Old value:
   • fullpath = %user defined settings%
   New value:
   • fullpath = dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • HideFileExt = %user defined settings%
   • Hidden = %user defined settings%
   New value:
   • HideFileExt = dword:00000001
   • Hidden = dword:00000000

 Email It uses the Messaging Application Programming Interface (MAPI) in order to send emails. The characteristics are further described:


From:
The sender address is the user's Outlook account.


To:
– Email addresses gathered from WAB (Windows Address Book)


Subject:
The following:
   • %chinese text%



Body:
The body of the email is the following:
   • %chinese text% Document.exe %chinese text%


Attachment:
The filename of the attachment is:
   • Document.exe

The attachment is a copy of the malware itself.



The email looks like the following:


 File details Programming language:
 The malware program was written in Visual Basic.

Description inserted by Andrei Gherman on Friday, September 21, 2007
Description updated by Andrei Gherman on Friday, September 21, 2007

Back . . . .