W32/Phaze.A!p2p
Analysis
- Copies itself as the following:
- undefinedProgramFilesundefined\winupdates\winupdates.exe
- undefinedSystemRootundefined\s.tmp
- undefinedSystemRootundefined\a.zip
- Drops the file bszip.dll in the System folder.
- Attempts to disable several programs by creating the following files in the Sytem folder, and setting the hidden and system attributes:
- taskkill.com
- tasklist.com
- Creates the hidden folder Uploads in the System root folder.
- Displays the following message:
When the user clicks on Next, it displays the following error message:Title: Setup
Body: Welcome to the Setup Wizard
It is recommended that you close all other applications before continuing.
Click Next to continue, or cancel to exit Setup.Title: Setup
Body: Version has expired please download software update.
Peer-to-peer (P2P) Propagation
- Attempts to connect to http://windowsupdate.microsoft.com in order to verify that the computer is connected to the internet.
- Generates file names by appending the string .zip to strings extracted from the following websites:
- http://www.phazeddl.com
- http://katz.ws
- http://justddl.com
- http://qualityddl.com
- http://satanwarez.com
- http://warezbox.com
- http://powerddl.com
- http://fullddl.net
- http://www.ddlspot.com
- http://gotddl.com
- http://ddldirect.com
- http://x-ddl.com
- Copies undefinedSystemRootundefined\a.zip to the following locations:
- undefinedSystemRootundefined\Uploads\[FILE NAME].zip
- undefinedSystemRootundefinedMy Shared Folder\[FILE NAME].zip
- undefinedUserProfileundefined\shared\[FILE NAME].zip
- undefinedProgramFilesundefined\Ares\My Shared Folder\[FILE NAME].zip
- undefinedProgramFilesundefined\eMule\Incoming\[FILE NAME].zip
- undefinedProgramFilesundefined\Kazaa\My Shared Folder\[FILE NAME].zip
- undefinedProgramFilesundefined\morpheus\My Shared Folder\[FILE NAME].zip
- undefinedProgramFilesundefined\grokster\my grokster\[FILE NAME].zip
- undefinedProgramFilesundefined\Bearshare\Shared\[FILE NAME].zip
- undefinedProgramFilesundefined\Limewire\Shared\[FILE NAME].zip
- undefinedProgramFilesundefined\Edonkey2000\Incoming\[FILE NAME].zip
- undefinedProgramFilesundefined\gnucleus\downloads\[FILE NAME].zip
- undefinedProgramFilesundefined\shareaza\downloads\[FILE NAME].zip
- undefinedProgramFilesundefined\rapigator\[FILE NAME].zip
- Attempts to start Limewire, if it is installed on the compromised computer.
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.