Method of Infection
When executed, Wreckage.A copies itself to %System%\WINLDR.EXE and modifies the registry to execute this file:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe winldr.exe"
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
The worm opens an instance of svchost.exe and injects itself into this process before exiting. This allows the worm to operate under the guise of 'svchost.exe'
Back to top
Method of Distribution
Via E-mail
In order to spread via e-mail, the worm initially attempts to obtain a configuration file from one of the following domains:
topdresser.ca
muirventures.ca
uh.gameage.co.uk
fire-clan.org.uk
signtrainer.com
theemmauscommunity.org
frontdoorproductions.net
actionwebdevelopment.com
parablenewmedia.com
traxxinc.com
realestatesolutionsplus.com
cosmoflash.com
fooyagi.com
pnimaging.com
cosmed-hair.com
This configuration file contains the location of other files for the worm to download. These files provide the worm with the following information:
- Message Body of the e-mail to be sent (usually in HTML format)
- Subject line of the e-mail
- A spoofed From address for the e-mail
At the time of publishing, the e-mail used by the worm are spoofed so as to appear to be from Ebay. The worm is contained in an attachment. The attachment filename is 'Rechtung.pdf.exe'.
Please see below for an example of an e-mail sent by the worm:
In order to obtain addresses to send itself to, the worm recursively searches through all fixed drives on the compromised system, harvesting e-mail addresses from all files ending in one of the following strings:
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
The worm avoids using addresses that contain these strings:
@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
crosoft
@messagelab
root@
abuse
panda
linux
unix
spam
antispam
gov
Via P2P File Sharing
The worm attempts to spread using different P2P filesharing programs by copying itself into the shared folder of these applications. In order to obtain the location of shared directories, the worm samples the following registry values:
HKCU\SOFTWARE\KAZAA\LocalContent\Dir0
HKLM\SOFTWARE\iMesh\Client\DownloadsLocation
HKLM\SOFTWARE\Morpheus\Install_Dir
and checks the system for the following:
C:\Program Files\eDonkey2000\incoming
C:\Program Files\LimeWire\Shared
Analysis suggests that the worm is instructed as to the names it should copy itself to in these directories via the aforementioned configuration file.
Back to top
Payload
Downloads and Executes Arbitrary Files/Installs Additional Malware
The worm attempts to download files from the aforementioned domains to the %System% directory of the compromised machine and execute them.
The configuration file that the worm obtains initially (see Method of Distribution above) also contains the locations of additional files to download and execute.
At the time of writing, these files were detected as Win32.Seclining.AC.
Lowers Security Settings
The worm creates the following registry values on machines running Windows XP Service Pack 2 and above, allowing it to bypass the Windows Firewall:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%system%\winldr.exe" = "%System%\winldr.exe:*:Enabled:winldr.exe"
Analysis by Matt McCormack
Back to top