Virus:Worm/Khanani.A
Date discovered:28/01/2008
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Low to medium
Static file:Yes
File size:147.456 Bytes
MD5 checksum:889e0Ae6f6e8469c070Ee2ed3c2d58f8
IVDF version:7.00.02.61 - Monday, January 28, 2008

 General Methods of propagation:
   • Mapped network drives
   • Peer to Peer


Aliases:
   •  Mcafee: W32/Bindo.worm
   •  Kaspersky: P2P-Worm.Win32.Malas.h
   •  F-Secure: P2P-Worm.Win32.Malas.h
   •  Eset: Win32/Malas.D
   •  Bitdefender: Win32.Worm.P2P.Agent.AM


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %TEMPDIR%\svchost.exe
   • %PROGRAM FILES%\Common Files\Microsoft Shared\MSshare.exe
   • %HOME%\userinit.exe
   • %WINDIR%\Web\OfficeUpdate.exe
   • %drive%:\autoply.exe



Sections are added to the following files.
– To: %ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Calculator.lnk With the following contents:
   • %code that runs malware%

– To: %HOME%\Start Menu\Programs\Accessories\Notepad.lnk With the following contents:
   • %code that runs malware%

– To: %HOME%\Start Menu\Programs\Accessories\Command Prompt.lnk With the following contents:
   • %code that runs malware%




The following files are created:

– Non malicious files:
   • %HOME%\Desktop\Important.htm
   • %HOME%\My Documents\Important.htm
   • %HOME%\Desktop\Iran_Israel.Jpg
   • %HOME%\My Documents\Iran_Israel.Jpg
   • %ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures\Iran_Israel.Jpg

%drive%:\Autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

– %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Office Update.lnk
%WINDIR%\tasks\at1.job File is a scheduled task that runs the malware at predefined times.
%WINDIR%\tasks\at2.job File is a scheduled task that runs the malware at predefined times.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • SoundMax = %HOME%\userinit.exe



The values of the following registry keys are removed:

–  [HKCR\lnkfile]
   • IsShortCut

–  [HKCR\piffile]
   • IsShortCut

–  [HKCR\InternetShortcut]
   • IsShortCut



The following registry keys are changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Old value:
   • Hidden = %user defined settings%
   • HideFileExt = %user defined settings%
   • ShowSuperHidden = %user defined settings%
   New value:
   • Hidden = 2
   • HideFileExt = 2
   • ShowSuperHidden = 2

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • Nofolderoptions = 1

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  


It searches for the following directories:
   • %PROGRAM FILES%\Kazaa Lite\My Shared Folder\
   • %PROGRAM FILES%\Kazaa\My Shared Folder\
   • %PROGRAM FILES%\Edonkey2000\Incoming\
   • %PROGRAM FILES%\Icq\Shared Files\
   • %PROGRAM FILES%\emule\incoming\
   • %PROGRAM FILES%\Gnucleus\Downloads\Incoming\
   • %PROGRAM FILES%\KMD\My Shared Folder\
   • %PROGRAM FILES%\Limewire\Shared\
   • %PROGRAM FILES%\XPCode\
   • C:\Inetpub\ftproot\

   If successful, the following files are created:
   • Sex_ScreenSaver.scr
   • Sex_Game.exe
   • SexGame.exe
   • SexScreenSaver.scr
   • SexGameList.pif
   • Games.lnk

   These files are copies of the malware itself.



The shared directory might look like the following:


 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Andrei Gherman on Monday, June 16, 2008
Description updated by Andrei Gherman on Monday, June 16, 2008

Back . . . .