TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_MOBLER.A
Overview
Solution
Technical Details

File type: PE

Memory resident:  Yes

Size of malware: 287,744 Bytes (compressed); 659,456 Bytes (uncompressed)

Initial samples received on: Aug 31, 2006

Compression type: UPX

Payload 1: Removes Folder Options item in Tools drop-down menu

Payload 2: Prevents files and applications from running via Run option

Payload 3: Disables Task Manager, Registry Tools, and Search option

Details:

Installation and Autostart Techniques

Upon execution, this worm drops a copy of itself as SYSTEM.EXE in the Windows system folder and as SVCHOST.EXE in the Windows folder.

It also drops the following non-malicious files in the Windows system folder:

  • autorun.inf - used to automatically execute its copy
  • black.app
  • black.html
  • black.ico
  • black.jpg
  • black.txt
  • makesis.exe

It then creates the following registry entries to ensure its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows = "%System%\SYSTEM.exe"

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32 on Windows XP and Server 2003.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows = "%System%\SYSTEM.exe"

It employs registry shell spawning so that it executes when files of certain types are run. It does this by modifying the following registry entries:

HKEY_CLASSES_ROOT\batfile\shell\edit\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\batfile\shell\open\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\chm.file\shell\open\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\cmdfile\shell\edit\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\cmdfile\shell\open\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\comfile\shell\open\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\htmlfile\shell\edit\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\htmlfile\shell\open\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\inffile\shell\open\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\JSFile\Shell\Edit\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\JSFile\Shell\Open\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\MSCFile\Shell\Open\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\regfile\shell\edit\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\regfile\shell\open\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\txtfile\shell\open\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\VBSFile\Shell\Edit\command
(default) = "%Windows%\svchost.exe"

HKEY_CLASSES_ROOT\VBSFile\Shell\Open\command
(default) = "%Windows%\svchost.exe"

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT. The default value data of the abovementioned registry entries is ”%1” %*.)

Other Registry Modifications

This worm disables the Folders Options item in the Tools drop-down menu from the main menu bar of Windows Explorer and Control Panel, Task Manager, Registry Tools, and Search option. It also prevents certain files and applications from running via Start>Run option. I does the said routines by creating the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoFolderOptions = "dword:00000001"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System
Disabletaskmgr = "dword:00000001"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System
Disableregistrytools = "dword:00000001"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoFind = "dword:00000001"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\attrib.exe
(default) = "%Windows%\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\del.exe
(default) = "%Windows%\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\Dxdiag.exe
(default) = "%Windows%\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\reg.exe
(default) = "%Windows%\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\regedit.exe
(default) = "%Windows%\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\taskkill.exe
(default) = "%Windows%\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\HELPCTR.EXE
(default) = "%Windows%\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\MSCONFIG.EXE
(default) = "%Windows%\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\MSMSGS.EXE
(default) = "%Windows%\svchost.exe"

Propagation Routines

This worm propagates by dropping copies of itself into floppy drives, physical drives, and all removable drives. Its copy uses names similar to that of the affected computer's name and of existing files and folders found in the said drives.

Other Details

This worm runs on Windows XP and Server 2003.

Analysis By: Ronnie Giagone

Updated By: Brian Cayanan

Revision History:

First pattern file version: 3.708.01
First pattern file release date: Aug 31, 2006
 
Sep 3, 2006 - Modified Virus Report

For additional information about this threat, see:
Overview
Solution

Search a new malware

Tell us how we did. Take our quick survey.