Taterf Worm
Original issue date:
June
23, 2008
It has been observed that a Worm named Taterf is propagating widely. It may appear as a packed executable and propagates via mapped drives. The Worm copies itself to the root of the drive using different names which consists of random letters and numbers with extensions such as '.com', 'cmd' or an '.exe'. It creates an 'autorun.inf' file which is used to execute the worm whenever the drive is viewed with Windows Explorer.
The Worm steals confidential information such as username and passwords for certain popular online games and affiliated products and sends the captured information to a remote server. The popular online games and affiliated products are as follows: Rainbow Island , Cabal Online, A Chinese Odyssey, Hao Fang Battle Net, Lineage, Gamania, MapleStory, qqgame, Legend of Mir, World Of Warcraft.
Further, the Worm communicates with a remote domain named “om7890 DOT com” in order to download files and update itself. It also prevents Antivirus from displaying notifications regarding system changes made by the Worm by closing windows used by the Antivirus products.
Variants: Packed.Win32.NSAnti.r [Kaspersky], W32/NSAnti.gen3 [ Norman ], Mal/Behav-204 [Sophos], Win32/Pacex.Gen [ESET], WORM_NSPM.TASH [Trend Micro]
Upon execution,
the Worm:
- Copies itself to the system directory as a hidden file using one of the following file names:
- amvo<number>.exe
- kavo<number>.exe
- awda<number>.exe
- avpo<number>.exe
- Modifies registry entries to run its copy on each system startup:
- Adds value: "amva"
With data: "<system folder>\amvo<number>.exe"
To subkey: HKCU\Software\Microsoft\Windows\
CurrentVersion\Run
- Adds value: "avpa"
With data: "<system folder>\avpo<number>.exe"
To subkey: HKCU\Software\Microsoft\Windows\
CurrentVersion\Run
- Modifies certain registry entries in order to hinder detection and removal,
and facilitate spreading:
- HKCU\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\NoDriveTypeAutoRun
- HKCU\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\ShowSuperHidden
- HKCU\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Hidden
- HKLM\Software\Microsoft\Windows\CurrentVersion\
explorer\Advanced\Folder\Hidden\SHOWALL\
CheckedValue
- Drops a dll component to the system directory using one of the following file names:
- amvo<number>.dll
- avpo<number>.dll
- kavo<number>.dll
- <random 7 or 8 letter name>.dll
Where <number> may be omitted entirely, or be a numeral from 0-9.
Once dropped, the dll is injected into explorer.exe or iexplore.exe.
- Creates an 'autorun.inf' file which is used to execute the worm whenever the drive is viewed with Windows Explorer.
- May drops a driver in the %temp% directory depending on which packer is used. This driver is detected as either VirTool:WinNT/Vanti.A or VirTool:WinNT/Vanti.B.
In view of rapid propagation of the Taterf Worm, users are advised to implement following countermeasures:
- Block access to domain om7890 DOT com.
- Install and maintain an updated anti-virus software at gateway and desktop level.
- Keep up-to-date anti-spyware signatures.
- Keep up-to-date on patches and fixes on the operating system and application software.
References
http://www.microsoft.com/security/portal/Entry.aspx?
name=Worm%3aWin32%2fTaterf.gen!C
http://www.microsoft.com/security/portal/Entry.aspx?
name=Worm%3aWin32%2fTaterf.A.dll
http://www.microsoft.com/security/portal/Entry.aspx?
name=Worm%
3aWin32%2fTaterf.gen!D
http://www.trendmicro.com/vinfo/apac/virusencyclo/
default5.asp?VName=WORM_NSPM.TASH
http://www.sophos.com/security/analyses/viruses-and-spyware/
malbehav204.html
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
