x9090's Blog: Analysis of Worm.Win32.Autorun.dmo

Detection name: Worm.Win32.Autorun.dmo [F-Secure/Kaspersky]
Alias: Win32.Duta.A [Symantec]
Worm:Win32/Dutan.A [Microsoft]
MD5: 32ea1dd0476686fa496b7c4996d5175d
SHA1: 34137e752c8dcec9a9e1dc96f1e738418b7c1585

Yesterday my sister complaint to me that her laptop was found some malicious TEMP file that she cannot recognize. When I got the infected laptop, I scanned the HJT and found a suspicious item:

O4 - HKLM\..\Run: [Microsoft OfficeTool] svchosts.exe

This sample was first detected by Symantec and Microsoft on April 2008 and I was so disappointed AVG does not detect the sample that was detected by most of the AV vendors. I attach the Virustotal scan report:

Antivirus Version Last Update Result

AhnLab-V3 2008.11.28.2 2008.11.29 Win-Trojan/Xema.variant
AntiVir 7.9.0.36 2008.11.29 TR/Crypt.CFI.Gen
Authentium 5.1.0.4 2008.11.30 -
Avast 4.8.1281.0 2008.11.29 Win32:Trojan-gen {Other}
AVG 8.0.0.199 2008.11.29 -
BitDefender 7.2 2008.11.30 Worm.Autorun.VDO
CAT-QuickHeal 10.00 2008.11.29 Worm.AutoRun.dmo
ClamAV 0.94.1 2008.11.30 -
DrWeb 4.44.0.09170 2008.11.29 Trojan.DownLoader.46964
eSafe 7.0.17.0 2008.11.27 Win32.AutoRun.dmo
eTrust-Vet 31.6.6234 2008.11.28 Win32/Dutan.A
Ewido 4.0 2008.11.29 -
F-Prot 4.4.4.56 2008.11.29 -
F-Secure 8.0.14332.0 2008.11.30 Worm.Win32.AutoRun.dmo
Fortinet 3.117.0.0 2008.11.30 -
GData 19 2008.11.30 Worm.Autorun.VDO
Ikarus T3.1.1.45.0 2008.11.30 Worm.Win32.AutoRun
K7AntiVirus 7.10.538 2008.11.29 Worm.Win32.AutoRun.dmo
Kaspersky 7.0.0.125 2008.11.30 Worm.Win32.AutoRun.dmo
McAfee 5449 2008.11.29 W32/Autorun.worm.ba
McAfee+Artemis 5449 2008.11.29 W32/Autorun.worm.ba
Microsoft 1.4104 2008.11.30 Worm:Win32/Dutan.A
NOD32 3651 2008.11.30 Win32/AutoRun.MX
Norman 5.80.02 2008.11.28 W32/Smalltroj.DCHT
Panda 9.0.0.4 2008.11.29 -
PCTools 4.4.2.0 2008.11.29 -
Prevx1 V2 2008.11.30 Malicious Software
Rising 21.05.60.00 2008.11.30 Trojan.Win32.Undef.hme
SecureWeb-Gateway 6.7.6 2008.11.29 Trojan.Crypt.CFI.Gen
Sophos 4.36.0 2008.11.30 W32/AutoRun-JH
Sunbelt 3.1.1832.2 2008.11.27 Worm.Win32.AutoRun.dmo
Symantec 10 2008.11.30 W32.Dutan.A
TheHacker 6.3.1.1.169 2008.11.29 -
TrendMicro 8.700.0.1004 2008.11.28 Mal_Otorun5
VBA32 3.12.8.9 2008.11.29 suspected of Embedded.Win32.Delf.NLJ
ViRobot 2008.11.29.1492 2008.11.29 -
VirusBuster 4.5.11.0 2008.11.29 Worm.AutoRun.BRC

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.11.28.2	2008.11.29	Win-Trojan/Xema.variant
AntiVir	7.9.0.36	2008.11.29	TR/Crypt.CFI.Gen
Authentium	5.1.0.4	2008.11.30	-
Avast	4.8.1281.0	2008.11.29	Win32:Trojan-gen {Other}
AVG	8.0.0.199	2008.11.29	-
BitDefender	7.2	2008.11.30	Worm.Autorun.VDO
CAT-QuickHeal	10.00	2008.11.29	Worm.AutoRun.dmo
ClamAV	0.94.1	2008.11.30	-
DrWeb	4.44.0.09170	2008.11.29	Trojan.DownLoader.46964
eSafe	7.0.17.0	2008.11.27	Win32.AutoRun.dmo
eTrust-Vet	31.6.6234	2008.11.28	Win32/Dutan.A
Ewido	4.0	2008.11.29	-
F-Prot	4.4.4.56	2008.11.29	-
F-Secure	8.0.14332.0	2008.11.30	Worm.Win32.AutoRun.dmo
Fortinet	3.117.0.0	2008.11.30	-
GData	19	2008.11.30	Worm.Autorun.VDO
Ikarus	T3.1.1.45.0	2008.11.30	Worm.Win32.AutoRun
K7AntiVirus	7.10.538	2008.11.29	Worm.Win32.AutoRun.dmo
Kaspersky	7.0.0.125	2008.11.30	Worm.Win32.AutoRun.dmo
McAfee	5449	2008.11.29	W32/Autorun.worm.ba
McAfee+Artemis	5449	2008.11.29	W32/Autorun.worm.ba
Microsoft	1.4104	2008.11.30	Worm:Win32/Dutan.A
NOD32	3651	2008.11.30	Win32/AutoRun.MX
Norman	5.80.02	2008.11.28	W32/Smalltroj.DCHT
Panda	9.0.0.4	2008.11.29	-
PCTools	4.4.2.0	2008.11.29	-
Prevx1	V2	2008.11.30	Malicious Software
Rising	21.05.60.00	2008.11.30	Trojan.Win32.Undef.hme
SecureWeb-Gateway	6.7.6	2008.11.29	Trojan.Crypt.CFI.Gen
Sophos	4.36.0	2008.11.30	W32/AutoRun-JH
Sunbelt	3.1.1832.2	2008.11.27	Worm.Win32.AutoRun.dmo
Symantec	10	2008.11.30	W32.Dutan.A
TheHacker	6.3.1.1.169	2008.11.29	-
TrendMicro	8.700.0.1004	2008.11.28	Mal_Otorun5
VBA32	3.12.8.9	2008.11.29	suspected of Embedded.Win32.Delf.NLJ
ViRobot	2008.11.29.1492	2008.11.29	-
VirusBuster	4.5.11.0	2008.11.29	Worm.AutoRun.BRC

The sign of infection for this sample is very obvious. As most of the worms will do, they will propagate via the removable drives [from C:\ to Z:\] and also all the connected network drives. However this worm only infects the flash drives that attached to the infected machines. Apart from that one can notice that the CPU is running 100%. You can easily see there are 2 running processes which utilize all the CPU usage, CSRSSS.EXE and SVCHOSTS.EXE. We see this process from the HJT log also and needless to say this is the culprit infecting the machine. You can also see temp.temp (2 KB in size) files which will explain in the next paragraph.

Before I go to the removal, I would like to talk about the payload of this worm. We should always keep in mind the worm is not only spreading to increase its infection vector but it must have its payloads to further affect the machines, for example most of the worms will download other malwares from the remote site and the malware might be able to steal the sensitive information on the victims' side. Not suprising this worm has its paylaod by searching and modiyfing the Excel files throughtout the machine. This is probably why the CPU usage is fully utilized all the time as the worm keeps looking for the Excel files. This sample will drop temp.temp on every folder that contains the Excel files. The worm will find if the files csrsss.exe, svchosts.exe and winxpsp2.dll exist on the %%windir%\system, if they do not exist, the worm will drop the files there and execute them. Once the machine is infected, the worm will inject the code from the temp.temp to the header of the original Excel files so that it is not recognizeable by Microsoft Excel, however the data inside the file is still intact.

Removal

In fact, this worm can be easily detected and removed by the AV. For those AV that do not detect it like AVG, one can manually remove them, I provide a simple batch script to remove them:

Trigger Task Manager.
Terminate processes, SVCHOSTS.EXE and CSRSSS.EXE
Run the following batch script:

cd C:\Windows\System32
attrib -H csrsss.exe
attrib -H svchosts.exe
attrib -H winxpsp2.dll
del csrsss.exe
del svchosts.exe
del winxpsp2.dll
reg /delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Microsoft OfficeTool" /f

To remove the worm on the flash drives, NOTES: Remember to clean the infections on the system first to avoid the flash drives to be reinfected:
cd /d [Drive letter of the removable drives]
attrib -H data.exe
attrib -H autorun.inf
del data.exe
del autorun.inf
Restart the machine.

Update

As promised earlier, I will post the recovery of the Excel file if I found one. Actually I took 2 weeks to create a small program to automate the recovery process. My finding is the infected files can be partially recovered by using Microsoft Excel's built-in repair function. Manual recovery is needed to fully recover all elements of an infected file, and involves stripping off the bad string and replacing the Excel header. Please note that this works on some, but not all, infected files.

The executable and source code provided in the following link. The code is not optimized and you might see some redundant code. Anyway, this program is hope to help those who are not tech-savvy or lazy to manually recover the Excel files.

http://www.4shared.com/file/78575763/77ff9823/ExcelRepair_with_source.html

-- Edited 24/01/2009

Conclusion

I still cannot find the way to recover the Excel files and it is probably other people may know about it and hope they can share with me here or email to me laipeisun[at]gmail.com. I will greatly appreciate for any comments and information given. Of course, I will put the solution here if i can figure one out :)

References

http://www.symantec.com/security_response/writeup.jsp?docid=2008-041714-2706-99
http://www.f-secure.com/v-descs/worm_w32_autorun_dmo.shtml

x9090's Blog

Sunday, November 30, 2008

Analysis of Worm.Win32.Autorun.dmo

No comments:

FOLLOW ME