Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Locksky.BG.1
Date discovered:08/08/2007
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:16.384 Bytes
MD5 checksum:3de189722f632d2a6b3a08c49e7db6b6
VDF version:6.38.01.081
IVDF version:6.38.01.085

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Loosky
   •  Kaspersky: Email-Worm.Win32.Locksky.bg
   •  F-Secure: Email-Worm.Win32.Locksky.bg
   •  Panda: W32/LockSky.DY.worm
   •  Grisoft: I-Worm/Locksky.CW
   •  Eset: Win32/Spabot.U
   •  Bitdefender: Win32.Locksky.BF


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\spoolsvv.exe




It tries to download a file:

– The location is the following:
   • http://5sec.name/panel/**********
At the time of writing this file was not online for further investigation.



It tries to executes the following file:

– Filename:
   • %sysdir%\netsh.exe
using the following command line arguments: firewall set allowedprogram "%malware execution directory%\%executed file%" enable

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "spoolsvv"="%SYSDIR%\spoolsvv.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)


Attachment:

The attachment is a copy of the malware itself.

 Mailing Search addresses:
It searches the following file for email addresses:
   • htm


Address generation for FROM field:
To generate addresses it uses the following strings:
   • admin
   • webmaster
   • support


 Backdoor Contact server:
All of the following:
   • http://5sec.name/panel/**********
   • http://5sec.name/panel/**********
   • http://5sec.name/panel/**********

As a result it may send some information.

Sends information about:
    • Created logfiles
    • IP address
    • Current malware status
    • System time

 Miscellaneous Mutex:
It creates the following Mutex:
   • !aBirValG!

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Monica Ghitun on Tuesday, November 6, 2007
Description updated by Andrei Gherman on Thursday, November 8, 2007

Back . . . .