Method of Infection
When the main executable is launched, it copies itself to:
%System%\winshost.exe
It makes the following modifications to the registry to ensure that winshost.exe is executed at each Windows start:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winshost.exe = "%System%\winshost.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winshost.exe = "%System%\winshost.exe"
It also drops another component to %System%\wiwshost.exe (this file is 11,776 bytes in size). The file is a DLL, which is injected into the explorer.exe process, so as to run under the guise of Explorer.
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Back to top
Payload
Downloads and Executes Arbitrary Files
Glieder.AK attempts to download from a list of URLs from the following domains. If successful, it saves the downloaded file to %Windows%\ile.exe and executes it. It also deletes any previously downloaded files.
www.21ebuild.com
www.51.net
www.acsohio.com
www.agria.hu
www.andi.com.vn
www.angham.de
www.ascolfibras.com
www.automobilonline.de
www.bangyan.cn
www.beall-cpa.com
www.bolz.at
www.bs-security.de
www.centrovestecasa.it
www.checkonemedia.nl
www.contentproject.com
www.cz-wanjia.com
www.czwanqing.com
www.czzm.com
www.datanet.hu
www.designgong.org
www.dgy.com.cn
www.die-fliesen.de
www.discoteka-funfactory.com
www.dom-invest.com.pl
www.eagle.com.cn
www.eagleclub.com.cn
www.ehc.hu
www.elvis-presley.ch
www.engelhardtgmbh.de
www.externet.hu
www.fahrschule-herb.de
www.fahrschule-lesser.de
www.fermegaroy.com
www.festivalteatrooccidente.com
www.formholz.at
www.fotomax.fi
www.gemtrox.com.tw
www.gepeters.org
www.gimex-messzeuge.de
www.gomyhome.com.tw
www.gymzn.cz
www.hondenservice.be
www.idaf.de
www.idcs.be
www.ider.cl
www.inside-tgweb.de
www.izoli.sk
www.jcm-american.com
www.jeoushinn.com
www.jingjuok.com
www.jue-bo.com
www.kingsley.ch
www.marketvw.com
www.megaserve.net
www.mild.at
www.niko.de
www.nikogmbh.com
www.olva.com.pe
www.on24.ee
www.onlink.net
www.ppm-alliance.de
www.presley.ch
www.renegaderc.com
www.replayu.com
www.sachsenbuecher.de
www.sanjinyuan.com
www.scvanravenswaaij.nl
www.slovanet.sk
www.snsphoto.com
www.societaet.de
www.soeco.org
www.softmajor.ru
www.solt3.org
www.spacium.biz
www.speedcom.home.pl
www.spirit-in-steel.at
www.spoden.de
www.sportnf.com
www.spy.az
www.sqnsolutions.com
www.st-paulus-bonn.dehtdocs
www.stbs.com.hk
www.steripharm.com
www.students.stir.ac.uk
www.subsplanet.com
www.sungodbio.com
www.superbetcs.com
www.sweb.cz
www.sydolo.com
www.szdiheng.com
www.tcicampus.net
www.techni.com.cn
www.tg-sandhausen-basketball.de
www.th-mutan.com
www.thaifast.com
www.thaiventure.com
www.thefunkiest.com
www.thenextstep.tv
www.thetexasoutfitter.com
www.tmhcsd1987.friko.pl
www.toussain.be
www.trago.com.pt
www.travelourway.com
www.trgd.dobrcz.pl
www.triapex.cz
www.triptonic.ch
www.tv-marina.com
www.udc-cassinadepecchi.it
www.universe.sk
www.uspowerchair.com
www.uw.hu
www.vercruyssenelektro.be
www.vet24h.com
www.vinimeloni.com
www.vnn.vn
www.vnrvjiet.ac.in
www.vote2fateh.com
www.vw.press-bank.pl
www.wamba.asn.au
www.wdlp.co.za
www.welchcorp.com
www.wesartproductions.com
www.wilsonscountry.com
www.windstar.pl
www.wise-industries.com
www.witold.pl
www.wombband.com
www.x-treme.cz
www.xiantong.net
www.xmpie.com
www.xmtd.com
www.xojc.com
www.yannick-spruyt.be
www.yayadownload.com
www.yesterdays.co.za
www.yshkj.com
www.zakazcd.dp.ua
www.zenesoftware.com
www.zentek.co.za
www.zorbas.az
www.zsbersala.edu.sk
Terminates Processes
The DLL component ("winshost.exe") kills the following processes (associated with antivirus and other security-related applications):
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
UPGRADER.EXE
Stops and Disables Services
On WindowsXP and 2000 Glieder.AK attempts to stop and disable the Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) service (the "SharedAccess" service), and the Security Center service ("wscsvc" - which was introduced with Windows XP Service Pack 2) on Windows XP systems.
Glieder.AK also attempts to stop, then disable the following services:
Ahnlab task Scheduler
alerter
AlertManger
AVExch32Service
avg7alrt
avg7updsvc
AvgCore
AvgFsh
AvgServ
avpcc
AVUPDService
AvxIni
awhost32
backweb client - 4476822
BackWeb Client - 7681197
backweb client-4476822
BlackICE
CAISafe
ccEvtMgr
ccPwdSvc
ccSetMgr
ccSetMgr.exe
DefWatch
dvpapi
dvpinit
F-Secure Gatekeeper Handler Starter
fsbwsys
FSDFWD
FSMA
KAVMonitorService
kavsvc
KLBLMain
McAfee Firewall
McAfeeFramework
McShield
McTaskManager
mcupdmgr.exe
MCVSRte
MonSvcNT
navapsvc
Network Associates Log Service
NISSERV
NISUM
NOD32ControlCenter
NOD32Service
Norman NJeeves
Norman ZANDA
Norton Antivirus Server
NPFMntor
NProtectService
NSCTOP
nvcoas
NVCScheduler
nwclntc
nwclntd
nwclnte
nwclntf
nwclntg
nwclnth
NWService
Outbreak Manager
Outpost Firewall
OutpostFirewall
PASSRV
PAVFNSVR
Pavkre
PavProt
PavPrSrv
PAVSRV
PCCPFW
PersFW
PREVSRV
PSIMSVC
ravmon8
SAVFMSE
SAVScan
SBService
schscnt
SmcService
SNDSrvc
SPBBCSvc
SweepNet
SWEEPSRV.SYS
Symantec AntiVirus Client
Symantec Core LC
Tmntsrv
V3MonNT
V3MonSvc
VexiraAntivirus
VisNetic AntiVirus Plug-in
vsmon
wuauserv
XCOMM
Modifies System Settings/Lowers Security Settings
Glieder.AK attempts to delete the following registry values if they exist:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee.InstantUpdate.Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\APVXDWIN
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAV50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee Guardian
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_cc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_emc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccApp
as well as the following registry keys:
HKLM\SOFTWARE\Agnitum
HKLM\SOFTWARE\KasperskyLab
HKLM\SOFTWARE\McAfee
HKLM\SOFTWARE\Panda Software
HKLM\SOFTWARE\Symantec
HKLM\SOFTWARE\Zone Labs
Glieder.AK searches fixed drives for the following files and renames them. The new file name is listed in the corresponding right hand column for each entry of the following list:
SPBBCSvc.exe
SNDSrvc.exe
ccApp.exe
ccl30.dll
LUALL.EXE
AUPDATE.EXE
Luupdate.exe
RuLaunch.exe
CMGrdian.exe
Mcshield.exe
outpost.exe
Avconsol.exe
Vshwin32.exe
VsStat.exe
Avsynmgr.exe
kavmm.exe
Up2Date.exe
KAV.exe
avgcc.exe
avgemc.exe
zatutor.exe
isafe.exe
av.dll
vetredir.dll
CCSETMGR.EXE
CCEVTMGR.EXE
NAVAPSVC.EXE
NPFMNTOR.EXE
symlcsvc.exe
ccvrtrst.dll
LUINSDLL.DLL
zlclient.exe
cafix.exe
vsvault.dll |
SP1BBCSvc.exe
SND1Srvc.exe
ccA1pp.exe
cc1l30.dll
LUAL1L.EXE
AUPD1ATE.EXE
Luup1date.exe
RuLa1unch.exe
CM1Grdian.exe
Mcsh1ield.exe
outp1ost.exe
Avc1onsol.exe
shw1in32.exe
Vs1Stat.exe
Av1synmgr.exe
kav12mm.exe
Up222Date.exe
K2A2V.exe
avgc3c.exe
avg23emc.exe
zatutor.exe
zatu6tor.exe
is5a6fe.exe
c6a5fix.exe
C1CSETMGR.EXE
CC1EVTMGR.EXE
NAV1APSVC.EXE
NPFM1NTOR.EXE
s1ymlcsvc.exe
ccv1rtrst.dll
LUI1NSDLL.DLL
zo3nealarm.exe
zl5avscan.dll
zlcli6ent.exe |
Modifies Hosts File
The Hosts file contains the mappings of IP addresses to host names. Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. On XP, 2000 and NT systems the hosts file is located at %System%\drivers\etc\hosts: on 9x systems the hosts file is located at %Windows%\hosts. Win32.Glieder overwrites the Hosts file with the following line:
"127.0.0.1 localhost"
Analysis by Scott Molenkamp
Back to top