Method of Infection
Win32.Glieder.AF may arrive attached to an e-mail that appears similar to the following:
When executed, Win32.Glieder.AF creates two files in the %Temp% directory using a generated temporary filename. For example:
- %Temp%\~1.txt
- %Temp%\~1.exe (Main executable)
Note: %Temp% is a variable location and refers to the directory designated for temporary files. The malware determines the location of the current Temp folder by querying the operating system. A typical path is "C:\Documents and Settings\<username>\Local Settings\Temp", or "C:\WINDOWS\TEMP".
The contents of the text file are displayed:
When the main executable is launched, it copies itself to:
%System%\winshost.exe
It makes the following modifications to the registry to ensure that winshost.exe is executed at each Windows start:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winshost.exe = "%System%\winshost.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winshost.exe = "%System%\winshost.exe"
It also drops another component to %System%\wiwshost.exe (this file is 18,944 bytes in size). The file is a DLL, which is injected into the explorer.exe process, so as to run under the guise of Explorer.
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Back to top
Payload
Downloads and Executes Arbitrary Files
Glieder.AF attempts to download from a list of URLs from the following domains. If successful, it saves the downloaded file to %Windows%\ile.exe and executes it. It also deletes any previously downloaded files.
www.21ebuild.com
www.51.net
www.acsohio.com
www.agria.hu
www.andi.com.vn
www.angham.de
www.ascolfibras.com
www.automobilonline.de
www.bangyan.cn
www.beall-cpa.com
www.bolz.at
www.bs-security.de
www.centrovestecasa.it
www.checkonemedia.nl
www.contentproject.com
www.cz-wanjia.com
www.czwanqing.com
www.czzm.com
www.datanet.hu
www.designgong.org
www.dgy.com.cn
www.die-fliesen.de
www.discoteka-funfactory.com
www.dom-invest.com.pl
www.eagle.com.cn
www.eagleclub.com.cn
www.ehc.hu
www.elvis-presley.ch
www.engelhardtgmbh.de
www.externet.hu
www.fahrschule-herb.de
www.fahrschule-lesser.de
www.fermegaroy.com
www.festivalteatrooccidente.com
www.formholz.at
www.fotomax.fi
www.gemtrox.com.tw
www.gepeters.org
www.gimex-messzeuge.de
www.gomyhome.com.tw
www.gymzn.cz
www.hondenservice.be
www.idaf.de
www.idcs.be
www.ider.cl
www.inside-tgweb.de
www.izoli.sk
www.jcm-american.com
www.jeoushinn.com
www.jingjuok.com
www.jue-bo.com
www.kingsley.ch
www.marketvw.com
www.megaserve.net
www.mild.at
www.niko.de
www.nikogmbh.com
www.olva.com.pe
www.on24.ee
www.onlink.net
www.ppm-alliance.de
www.presley.ch
www.renegaderc.com
www.replayu.com
www.sachsenbuecher.de
www.sanjinyuan.com
www.scvanravenswaaij.nl
www.slovanet.sk
www.snsphoto.com
www.societaet.de
www.soeco.org
www.softmajor.ru
www.solt3.org
www.spacium.biz
www.speedcom.home.pl
www.spirit-in-steel.at
www.spoden.de
www.sportnf.com
www.spy.az
www.sqnsolutions.com
www.st-paulus-bonn.dehtdocs
www.stbs.com.hk
www.steripharm.com
www.students.stir.ac.uk
www.subsplanet.com
www.sungodbio.com
www.superbetcs.com
www.sweb.cz
www.sydolo.com
www.szdiheng.com
www.tcicampus.net
www.techni.com.cn
www.tg-sandhausen-basketball.de
www.th-mutan.com
www.thaifast.com
www.thaiventure.com
www.thefunkiest.com
www.thenextstep.tv
www.thetexasoutfitter.com
www.tmhcsd1987.friko.pl
www.toussain.be
www.trago.com.pt
www.travelourway.com
www.trgd.dobrcz.pl
www.triapex.cz
www.triptonic.ch
www.tv-marina.com
www.udc-cassinadepecchi.it
www.universe.sk
www.uspowerchair.com
www.uw.hu
www.vercruyssenelektro.be
www.vet24h.com
www.vinimeloni.com
www.vnn.vn
www.vnrvjiet.ac.in
www.vote2fateh.com
www.vw.press-bank.pl
www.wamba.asn.au
www.wdlp.co.za
www.welchcorp.com
www.wesartproductions.com
www.wilsonscountry.com
www.windstar.pl
www.wise-industries.com
www.witold.pl
www.wombband.com
www.x-treme.cz
www.xiantong.net
www.xmpie.com
www.xmtd.com
www.xojc.com
www.yannick-spruyt.be
www.yayadownload.com
www.yesterdays.co.za
www.yshkj.com
www.zakazcd.dp.ua
www.zenesoftware.com
www.zentek.co.za
www.zorbas.az
www.zsbersala.edu.sk
Terminates Processes
The DLL component ("winshost.exe") kills the following processes (associated with antivirus and other security-related applications):
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
UPGRADER.EXE
Modifies Hosts File
The Hosts file contains the mappings of IP addresses to host names. Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. On XP, 2000 and NT systems the hosts file is located at %System%\drivers\etc\hosts.
Glieder.AF overwrites "%System%\drivers\etc\hosts" in order to redirect particular antivirus related domain names. For example:
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
These lines will cause the domains www.ca.com, ca.com, etc. to resolve to the local host, effectively denying access. Glieder.AF redirects the following domains to local host:
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads-us1.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us3.kaspersky-labs.com
downloads.microsoft.com
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
engine.awaps.net
f-secure.com
fastclick.net
ftp.avp.ch
ftp.downloads2.kaspersky-labs.com
ftp.f-secure.com
ftp.kasperskylab.ru
ftp.sophos.com
go.microsoft.com
ids.kaspersky-labs.com
kaspersky-labs.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
updates1.kaspersky-labs.com
updates2.kaspersky-labs.com
updates3.kaspersky-labs.com
updates4.kaspersky-labs.com
updates5.kaspersky-labs.com
us.mcafee.com
vil.nai.com
viruslist.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.f-secure.com
www.fastclick.net
www.grisoft.com
www.kaspersky-labs.com
www.kaspersky.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
www.viruslist.ru
www3.ca.com
Note: CA Antivirus solutions may detect the modified Hosts file as Win32.HostBlock.
Stops and Disables Services
On WindowsXP and 2000 Glieder.AF attempts to stop and disable the Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) service (the "SharedAccess" service), and the Security Center service ("wscsvc" - which was introduced with Windows XP Service Pack 2) on Windows XP systems.
Glieder.AF also attempts to stop, then disable the following services:
Ahnlab task Scheduler
alerter
AlertManger
AVExch32Service
avg7alrt
avg7updsvc
AvgCore
AvgFsh
AvgServ
avpcc
AVUPDService
AvxIni
awhost32
backweb client - 4476822
BackWeb Client - 7681197
backweb client-4476822
BlackICE
CAISafe
ccEvtMgr
ccPwdSvc
ccSetMgr
ccSetMgr.exe
DefWatch
dvpapi
dvpinit
F-Secure Gatekeeper Handler Starter
fsbwsys
FSDFWD
FSMA
KAVMonitorService
kavsvc
KLBLMain
McAfee Firewall
McAfeeFramework
McShield
McTaskManager
mcupdmgr.exe
MCVSRte
MonSvcNT
navapsvc
Network Associates Log Service
NISSERV
NISUM
NOD32ControlCenter
NOD32Service
Norman NJeeves
Norman ZANDA
Norton Antivirus Server
NPFMntor
NProtectService
NSCTOP
nvcoas
NVCScheduler
nwclntc
nwclntd
nwclnte
nwclntf
nwclntg
nwclnth
NWService
Outbreak Manager
Outpost Firewall
OutpostFirewall
PASSRV
PAVFNSVR
Pavkre
PavProt
PavPrSrv
PAVSRV
PCCPFW
PersFW
PREVSRV
PSIMSVC
ravmon8
SAVFMSE
SAVScan
SBService
schscnt
SmcService
SNDSrvc
SPBBCSvc
SweepNet
SWEEPSRV.SYS
Symantec AntiVirus Client
Symantec Core LC
Tmntsrv
V3MonNT
V3MonSvc
VexiraAntivirus
VisNetic AntiVirus Plug-in
vsmon
wuauserv
XCOMM
Modifies System Settings/Lowers Security Settings
Glieder.AF attempts to delete the following registry values if they exist:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee.InstantUpdate.Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\APVXDWIN
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAV50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee Guardian
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_cc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_emc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccApp
as well as the following registry keys:
HKLM\SOFTWARE\Agnitum
HKLM\SOFTWARE\KasperskyLab
HKLM\SOFTWARE\McAfee
HKLM\SOFTWARE\Panda Software
HKLM\SOFTWARE\Symantec
HKLM\SOFTWARE\Zone Labs
Glieder.AF searches fixed drives for the following files and renames them. The new file name is listed in the corresponding right hand column for each entry of the following list:
SPBBCSvc.exe
SP1BBCSvc.exe
SNDSrvc.exe
SND1Srvc.exe
ccApp.exe
ccA1pp.exe
ccl30.dll
cc1l30.dll
LUALL.EXE
LUAL1L.EXE
AUPDATE.EXE
AUPD1ATE.EXE
Luupdate.exe
Luup1date.exe
RuLaunch.exe
RuLa1unch.exe
CMGrdian.exe
CM1Grdian.exe
Mcshield.exe
Mcsh1ield.exe
outpost.exe
outp1ost.exe
Avconsol.exe
Avc1onsol.exe
Vshwin32.exe
Vshw1in32.exe
VsStat.exe
Vs1Stat.exe
Avsynmgr.exe
Av1synmgr.exe
kavmm.exe
kav12mm.exe
Up2Date.exe
Up222Date.exe
KAV.exe
K2A2V.exe
avgcc.exe
avgc3c.exe
avgemc.exe
avg23emc.exe
zatutor.exe
zatutor.exe
isafe.exe
zatu6tor.exe
av.dll
is5a6fe.exe
vetredir.dll
c6a5fix.exe
CCSETMGR.EXE
C1CSETMGR.EXE
CCEVTMGR.EXE
CC1EVTMGR.EXE
NAVAPSVC.EXE
NAV1APSVC.EXE
NPFMNTOR.EXE
NPFM1NTOR.EXE
symlcsvc.exe
s1ymlcsvc.exe
ccvrtrst.dll
ccv1rtrst.dll
LUINSDLL.DLL
LUI1NSDLL.DLL
zlclient.exe
zo3nealarm.exe
cafix.exe
zl5avscan.dll
vsvault.dll
zlcli6ent.exe
Analysis by Scott Molenkamp
Back to top