Alias: Win32.Duta.A [Symantec]
Worm:Win32/Dutan.A [Microsoft]
MD5: 32ea1dd0476686fa496b7c4996d5175d
SHA1: 34137e752c8dcec9a9e1dc96f1e738418b7c1585
Yesterday my sister complaint to me that her laptop was found some malicious TEMP file that she cannot recognize. When I got the infected laptop, I scanned the HJT and found a suspicious item:
O4 - HKLM\..\Run: [Microsoft OfficeTool] svchosts.exe
This sample was first detected by Symantec and Microsoft on April 2008 and I was so disappointed AVG does not detect the sample that was detected by most of the AV vendors. I attach the Virustotal scan report:
The sign of infection for this sample is very obvious. As most of the worms will do, they will propagate via the removable drives [from C:\ to Z:\] and also all the connected network drives. However this worm only infects the flash drives that attached to the infected machines. Apart from that one can notice that the CPU is running 100%. You can easily see there are 2 running processes which utilize all the CPU usage, CSRSSS.EXE and SVCHOSTS.EXE. We see this process from the HJT log also and needless to say this is the culprit infecting the machine. You can also see temp.temp (2 KB in size) files which will explain in the next paragraph.
Antivirus Version Last Update Result AhnLab-V3 2008.11.28.2 2008.11.29 Win-Trojan/Xema.variant AntiVir 7.9.0.36 2008.11.29 TR/Crypt.CFI.Gen Authentium 5.1.0.4 2008.11.30 - Avast 4.8.1281.0 2008.11.29 Win32:Trojan-gen {Other} AVG 8.0.0.199 2008.11.29 - BitDefender 7.2 2008.11.30 Worm.Autorun.VDO CAT-QuickHeal 10.00 2008.11.29 Worm.AutoRun.dmo ClamAV 0.94.1 2008.11.30 - DrWeb 4.44.0.09170 2008.11.29 Trojan.DownLoader.46964 eSafe 7.0.17.0 2008.11.27 Win32.AutoRun.dmo eTrust-Vet 31.6.6234 2008.11.28 Win32/Dutan.A Ewido 4.0 2008.11.29 - F-Prot 4.4.4.56 2008.11.29 - F-Secure 8.0.14332.0 2008.11.30 Worm.Win32.AutoRun.dmo Fortinet 3.117.0.0 2008.11.30 - GData 19 2008.11.30 Worm.Autorun.VDO Ikarus T3.1.1.45.0 2008.11.30 Worm.Win32.AutoRun K7AntiVirus 7.10.538 2008.11.29 Worm.Win32.AutoRun.dmo Kaspersky 7.0.0.125 2008.11.30 Worm.Win32.AutoRun.dmo McAfee 5449 2008.11.29 W32/Autorun.worm.ba McAfee+Artemis 5449 2008.11.29 W32/Autorun.worm.ba Microsoft 1.4104 2008.11.30 Worm:Win32/Dutan.A NOD32 3651 2008.11.30 Win32/AutoRun.MX Norman 5.80.02 2008.11.28 W32/Smalltroj.DCHT Panda 9.0.0.4 2008.11.29 - PCTools 4.4.2.0 2008.11.29 - Prevx1 V2 2008.11.30 Malicious Software Rising 21.05.60.00 2008.11.30 Trojan.Win32.Undef.hme SecureWeb-Gateway 6.7.6 2008.11.29 Trojan.Crypt.CFI.Gen Sophos 4.36.0 2008.11.30 W32/AutoRun-JH Sunbelt 3.1.1832.2 2008.11.27 Worm.Win32.AutoRun.dmo Symantec 10 2008.11.30 W32.Dutan.A TheHacker 6.3.1.1.169 2008.11.29 - TrendMicro 8.700.0.1004 2008.11.28 Mal_Otorun5 VBA32 3.12.8.9 2008.11.29 suspected of Embedded.Win32.Delf.NLJ ViRobot 2008.11.29.1492 2008.11.29 - VirusBuster 4.5.11.0 2008.11.29 Worm.AutoRun.BRC
Before I go to the removal, I would like to talk about the payload of this worm. We should always keep in mind the worm is not only spreading to increase its infection vector but it must have its payloads to further affect the machines, for example most of the worms will download other malwares from the remote site and the malware might be able to steal the sensitive information on the victims' side. Not suprising this worm has its paylaod by searching and modiyfing the Excel files throughtout the machine. This is probably why the CPU usage is fully utilized all the time as the worm keeps looking for the Excel files. This sample will drop temp.temp on every folder that contains the Excel files. The worm will find if the files csrsss.exe, svchosts.exe and winxpsp2.dll exist on the %%windir%\system, if they do not exist, the worm will drop the files there and execute them. Once the machine is infected, the worm will inject the code from the temp.temp to the header of the original Excel files so that it is not recognizeable by Microsoft Excel, however the data inside the file is still intact.
Removal
In fact, this worm can be easily detected and removed by the AV. For those AV that do not detect it like AVG, one can manually remove them, I provide a simple batch script to remove them:
- Trigger Task Manager.
- Terminate processes, SVCHOSTS.EXE and CSRSSS.EXE
- Run the following batch script:
- To remove the worm on the flash drives, NOTES: Remember to clean the infections on the system first to avoid the flash drives to be reinfected:
cd /d [Drive letter of the removable drives]
attrib -H data.exe
attrib -H autorun.inf
del data.exe
del autorun.inf - Restart the machine.
cd C:\Windows\System32
attrib -H csrsss.exe
attrib -H svchosts.exe
attrib -H winxpsp2.dll
del csrsss.exe
del svchosts.exe
del winxpsp2.dll
reg /delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Microsoft OfficeTool" /f
Update
As promised earlier, I will post the recovery of the Excel file if I found one. Actually I took 2 weeks to create a small program to automate the recovery process. My finding is the infected files can be partially recovered by using Microsoft Excel's built-in repair function. Manual recovery is needed to fully recover all elements of an infected file, and involves stripping off the bad string and replacing the Excel header. Please note that this works on some, but not all, infected files.
The executable and source code provided in the following link. The code is not optimized and you might see some redundant code. Anyway, this program is hope to help those who are not tech-savvy or lazy to manually recover the Excel files.
http://www.4shared.com/file/78575763/77ff9823/ExcelRepair_with_source.html
-- Edited 24/01/2009
Conclusion
I still cannot find the way to recover the Excel files and it is probably other people may know about it and hope they can share with me here or email to me laipeisun[at]gmail.com. I will greatly appreciate for any comments and information given. Of course, I will put the solution here if i can figure one out :)
References
http://www.symantec.com/security_response/writeup.jsp?docid=2008-041714-2706-99
http://www.f-secure.com/v-descs/worm_w32_autorun_dmo.shtml