Win32.HLLW.Crazy.A

( Worm.Win32.Skipi.b, Worm:Win32/Pykspa.A, W32.Pykspa.D, W32/Pykse.worm.b, Win32/Perksy.G worm, TR/Biski.A )

SYMPTOMS:

An image showing water bubbles appears on the screen (the image itself is part of the default Windows installation).

The existence of the Software\\RMX\\cfg subkey in the HKEY_LOCAL_MACHINE or HKEY_LOCAL_USER registry key (this is used to store settings of the malware)

The existence of the following files in the system (usually c:\\windows\\system32) or temporary directory:

• wndrivsd32.exe
• mshtmlsh32.exe
• winlgcverx.exe
• sdrivec32.exe

Inability to access websites relating to some security vendors and the products of these vendors failing to update.

TECHNICAL DESCRIPTION:

This is a multi-vector worm which uses two main mechanisms to spread:

• Infecting removable drives (which usually means flash cards, SD cards, etc). When such a media is connected to an infected computer, it copies itself to the root of the media with the name "zjbs.exe" or "game.exe" and creates an "autorun.inf" file which points to these executables. When such an infected media is inserted in a computer, the executable is automatically run (unless the Autorun feature of Windows has been disabled), spreading the infection
• Through Skype, by sending random messages from the following list with a link attached which contains a copy of the worm:

(happy)
sky
ops
a ?
pala biski
 :S
as net nezinau ka tavo vietoj daryciau.
matai :D
geras ane ?
patinka?
kas cia tavim taip isderge ? =]]
cia biski su photoshopu pazaidziau bet bet irgi gerai atrodai :D
cia tu isimetei ?
zek kur tavo foto metos isdergta
(mm) kaip as taves noriu
ziurek kur tavo foto imeciau :D
esi?
labas
what ur friend name wich is in photo ?
this (happy) sexy one
u happy ?
oh sry not for u
oops sorry please don't look there :S
you checked ?
(rofl)
(devil)
really funny
now u populr
haha lol
look what crazy photo Tiffany sent to me,looks cool
I used photoshop and edited it
where I put ur photo :D
your photos looks realy nice
look
how are u ? :)
hey

The malware copies itself to the system directory (C:\\Widows\\System32 usually) with the following names:

• wndrivsd32.exe
• mshtmlsh32.exe
• winlgcverx.exe
• sdrivec32.exe
  

The malware periodically checks for programs for which the executable names contain the following strings in them and tries to terminate them (these names are usually associated with security and monitoring tools):

_AVP32
_AVPCC
_AVPM
53ARCH
ACKWIN32
ADAWARE
ADVXDWIN
AGENTSVR
AGENTW
ALERTSVC
ALEVIR
ALOGSERV
AMON
AMON9X
ANTI-TROJAN
ANTIVIRUS
ANTS
APIMONITOR
APLICA32
APORTS
APVXDWIN
ARMKILLER
ARR
ATCON
ATGUARD
ATRO55EN
ATUPDATER
ATUPDATER
ATWATCH
AU
AUPDATE
AUPDATE
AUTODOWN
AUTODOWN
AUTOTRACE
AUTOTRACE
AUTOUPDATE
AUTOUPDATE
AV
AVCONSOL
AVE32
AVGCC32
AVGCTRL
AVGNT
AVGSERV
AVGSERV9
AVGUARD
AVGW
AVKPOP
AVKSERV
AVKSERVICE
AVKWCTl9
AVLTMAIN
AVNT
AVP
AVP32
AVPCC
AVPDOS32
AVPM
AVPTC32
AVPUPD
AVPUPD
AVSCHED32
AVSYNMGR
AVWIN95
AVWINNT
AVWUPD
AVWUPD32
AVWUPD32
AVWUPSRV
AVXMONITOR9X
AVXMONITORNT
AVXQUAR
AVXQUAR
BACKWEB
BARGAINS
BCW
BD_PROFESSIONAL
BEAGLE
BELT
BIDEF
BIDSERVER
BIPCP
BIPCPEVALSETUP
BISP
BLACKD
BLACKICE
BLSS
BOOTCONF
BOOTWARN
BORG2
BPC
BRASIL
BS120
BUNDLE
BVT
CCAPP
CCEVTMGR
CCPXYSVC
CDP
CFD
CFGWIZ
CFIADMIN
CFIAUDIT
CFIAUDIT
CFINET
CFINET32
Claw95
CLAW95CF
CLAW95CF
CLEAN
CLEANER
CLEANER3
CLEANPC
CLICK
CLIENT
CMD32
CMESYS
CMGRDIAN
CMON016
CONDOM
CPD
CPF9X206
CPFNT206
CRACKER
CTRL
CV
CWNB181
CWNTDWMO
DATEMANAGER
DCOMX
DEFALERT
DEFSCANGUI
DEFWATCH
DEPUTY
DIVX
DLLCACHE
DLLREG
DOORS
DPF
DPFSETUP
DPPS2
DRWATSON
DRWEB32
DRWEBUPW
DSSAGENT
DUMP
DVP95
DVP95_0
ECENGINE
EFPEADM
EMSW
ENT
ESAFE
ESCANH95
ESCANHNT
ESCANV95
ESPWATCH
ETHEREAL
ETRUSTCIPE
EVPN
EXE.AVXW
EXPERT
EXPLORE
F-AGNT95
F-AGOBOT
F-PROT
F-PROT95
F-STOPW
FAMEH32
FAST
FCH32
FIH32
FINDVIRU
FIREWALL
FLOWPROTECTOR
FNRB32
FP-WIN
FP-WIN_TRIAL
FPORT
FPROT
FRHED
FRW
FSAA
FSAV
FSAV32
FSAV530STBYB
FSAV530WTBYB
FSAV95
FSGK32
FSM32
FSMA32
FSMB32
FW
GATOR
GBMENU
GBPOLL
GENERICS
GMT
GUARD
GUARDDOG
HACKTRACERSETUP
HBINST
HBSRV
HIJACKTHIS
HONEYD
HOTACTIO
HOTPATCH
HTLOG
HTPATCH
HWPE
HXDL
HXIUL
IAMAPP
IAMSERV
IAMSTATS
IBMASN
IBMAVSP
ICESWORD
ICLOAD95
ICLOADNT
ICMON
ICSUPP95
ICSUPP95
ICSUPPNT
IDLE
IEDLL
IEDRIVER
IEXPLORER
IFACE
IFW2000
IISLOCKD
INETLNFO
INFUS
INFWIN
INIT
INTDEL
INTREN
IOMON98
IPARMOR
IRIS
ISASS
ISRV95
ISTSVC
JAMMER
JDBGMRG
JEDI
KAV
KAVLITE40ENG
KAVPERS40ENG
KAVPF
KAVSVC
KAZZA
KD
KEENVALUE
KERNEL32
LAUNCHER
LDNETMON
LDPRO
LDPROMENU
LDSCAN
LNETINFO
LOADER
LOADER
LOCALNET
LOCKDOWN
LOCKDOWN2000
LOGGER
LOGVIEWER
LOOKOUT
LORDPE
LSETUP
LUALL
LUALL
LUAU
LUCOMSERVER
LUINIT
LUSPT
MAPISVC32
MCAGENT
MCMNHDLR
MCSHIELD
MCTOOL
MCUPDATE
MCUPDATE
MCVSRTE
MCVSSHLD
MD
MFIN32
MFW2EN
MFWENG3.02D30
MGAVRTCL
MGAVRTE
MGHTML
MGUI
MINILOG
MMOD
MONITOR
MOOLIVE
MOSTAT
MPFAGENT
MPFSERVICE
MPFTRAY
MRFLUX
MSAPP
MSBB
MSBLAST
MSCACHE
MSCCN32
MSCMAN
MSCONFIG
MSDM
MSDOS
MSIEXEC16
MSINFO32
MSLAUGH
MSMGT
MSMSGRI32
MSSMMC32
MSSYS
MSVXD
MU0311AD
MWATCH
N32SCANW
NAV
NAVAP.NAVAPSVC
NAVAPSVC
NAVAPW32
NAVDX
NAVLU32
NAVNT
NAVSTUB
NAVW32
NAVWNT
NC2000
NCINST4
NDD32
NEOMONITOR
NEOWATCHLOG
NETARMOR
NETD32
NETINFO
NETMON
NETSCANPRO
NETSTAT
NETUTILS
NISSERV
NISUM
NMAIN
NOD32
NOD32CC
NOD32KRN
NOD32KUI
NOD32M2
NORMIST
NOTSTART
NPFMESSENGER
NPROTECT
NPSCHECK
NPSSVC
NSCHED32
NSSYS32
NSTASK32
NSUPDATE
NT
NTRTSCAN
NTVDM
NTXconfig
NUI
NUPGRADE
NUPGRADE
NVARCH16
NVC95
NVSVC32
NWINST4
NWSERVICE
NWTOOL16
OLLYDBG
OLLYDBG
ONSRVR
OPTIMIZE
OSTRONET
OTFIX
OUTPOST
OUTPOST
OUTPOSTINSTALL
PADMIN
PANIXK
PATCH
PAVCL
PAVPROXY
PAVSCHED
PAVW
PCC2002S902
PCC2K_76_1436
PCCIOMON
PCCNTMON
PCCWIN97
PCCWIN98
PCDSETUP
PCFWALLICON
PCIP10117_0
PCSCAN
PDSETUP
PEDASM
PENIS
PERISCOPE
PERSFW
PERSWF
pexplorer
PF2
PFWADMIN
PGMONITR
PINGSCAN
PLATIN
PMDUMP
PMON
POP3TRAP
POPROXY
POPSCAN
PORTDETECTIVE
PORTMONITOR
POWERSCAN
PPINUPDT
PPTBC
PPVSTOP
PRIZESURFER
PRMT
PRMVR
PROCDUMP
PROCESSMONITOR
PROCEXP
PROGRAMAUDITOR
PROPORT
PROTECTX
PSPF
PURGE
PUSSY
PVIEW95
QCONSOLE
QSERVER
RAPAPP
RAV7
RAV7WIN
RAV8WIN32ENG
RAY
RB32
RCSYNC
REALMON
REGCLEANER
REGED
REGEDIT
REGEDT32
RERGCLEANR
RESCUE
RESCUE32
RRGUARD
RSHELL
RTVSCAN
RTVSCN95
RULAUNCH
RUN32DLL
RUNDLL
RUNDLL16
RUXDLL32
SAFEWEB
SAHAGENT
SAVE
SAVENOW
SBSERV
SC
SCAM32
SCAN32
SCAN95
SCANPM
SCRSCAN
SCRSVR
SCVHOST
SD
SERV95
SERVICE
SERVLCE
SERVLCES
SETUPVAMEEVAL
SFC
SGSSFW32
SH
SHELLSPYINSTALL
SHN
SHOWBEHIND
SMC
SMS
SMSS32
SOAP
SOFI
SPERM
SPF
SPHINX
SPOLER
SPOOLCV
SPOOLSV32
SPYXX
SREXE
SRIN
SRNG
SS3EDIT
SSG_4104
SSGRATE
ST2
START
STCLOADER
SUPFTRL
SUPPORT
SUPPORTER5
SVC
SVCHOSTC
SVCHOSTS
SVSHOST
SWEEP95
SYMPROXYSVC
SYMTRAY
SYSEDIT
SYSTEM
SYSTEM32
SYSUPD
TASKMG
TASKMO
TASKMON
TAUMON
TBSCAN
TC
TCA
TCM
TCPVIEW
TDS-3
TDS2-98
TDS2-NT
TEEKIDS
TEST
TFAK
TFAK5
TGBOB
TITANIN
TITANINXP
TRACERT
TRICKLER
TRJSCAN
TRJSETUP
TROJANTRAP3
TSADBOT
TVMD
TVTMD
UNDOBOOT
UPDAT
UPDATE
UPDATE
UPGRAD
UTPOST
VBCMSERV
VBCONS
VBUST
VBWIN9X
VBWINNTW
VCSETUP
VET32
VET95
VETTRAY
VFSETUP
VIR-HELP
VNLAN300
VNPC3000
VPC32
VPC42
VPFW30S
VPTRAY
VSCAN40
VSCENU6.02D30
VSCHED
VSECOMR
VSHWIN32
VSISETUP
VSMAIN
VSMON
VSSTAT
VSWIN9XE
VSWINNTSE
VSWINPERSE
W32DSM89
W32DSM89
W9X
WATCHDOG
WEBDAV
WEBSCANX
WEBTRAP
WFINDV32
WGFE95
WHOSWATCHINGME
WIMMUN32
WIN-BUGSFIX
WIN32
WIN32US
WINACTIVE
WINDBG
WINDOW
WINDOWS
WINDUMP
WININETD
WININIT
WININITX
WINLOGIN
WINMAIN
WINNET
WINPPR32
WINRECON
WINSERVN
WINSSK32
WINSTART
WINSTART001
WINTSK32
WINUPDATE
WKUFIND
WNAD
WNT
WRADMIN
WRCTRL
WSBGATE
WUPDATER
WUPDT
XPF202EN
ZAPRO
ZAPSETUP3001
ZATUTOR
ZONALM2601
ZONEALARM

The malware modifies the hosts file (usually located in C:\\Windows\\System32\\Drivers\\Etc\\hosts) to prevent the access to websites of security companies. A snippet of the modified host file can be seen below (the IP addresses are generated randomly):

27.150.124.122 symantec.comsecurityresponse.symantec.com
238.232.24.130 www.symantec.comsecurityresponse.symantec.com
209.192.147.230 pandasoftware.com
75.73.163.69 www.pandasoftware.com
244.1.56.212 sophos.com
63.29.179.163 www.sophos.com
152.42.82.34 mcafee.com
175.240.239.227 www.mcafee.com
19.155.235.161 downloads-us1.kaspersky-labs.com
2.29.101.130 www.downloads-us1.kaspersky-labs.com
128.206.175.153 updates1.kaspersky-labs.com
166.85.2.175 www.updates1.kaspersky-labs.com
...
81.30.169.77 kaspersky.ru
81.163.144.114 www.kaspersky.ru
117.187.103.4 msk1.drweb.com
220.12.16.145 www.msk1.drweb.com
64.93.186.144 msk2.drweb.com
202.251.16.162 www.msk2.drweb.com
43.91.175.23 msk3.drweb.com
232.0.222.180 www.msk3.drweb.com
245.159.121.179 msk4.drweb.com
134.130.47.12 www.msk4.drweb.com
34.42.238.243 boss.drweb.comdrweb.com
249.56.154.162 www.boss.drweb.comdrweb.com
119.142.5.88 liveupdate.symantecliveupdate.com
25.177.28.162 www.liveupdate.symantecliveupdate.com
128.113.94.217 viruslist.com
196.205.147.236 www.viruslist.com
10.17.186.95 security.symantec.com
89.65.67.148 www.security.symantec.com
169.186.126.74 f-secure.com
61.23.84.99 www.f-secure.com
51.82.53.234 kaspersky-labs.com
90.43.81.84 www.kaspersky-labs.com
67.206.11.6 kaspersky.com
155.176.170.24 www.kaspersky.com
183.186.82.89 avp.com
113.169.52.147 www.avp.com
51.181.1.16 norman.com
81.112.164.92 www.norman.com
156.242.48.77 sandbox.norman.com
52.51.23.65 www.sandbox.norman.com
157.184.158.167 networkassociates.com
21.114.141.193 www.networkassociates.com
37.227.43.167 ca.com
119.130.105.144 www.ca.com
231.97.94.77 mast.mcafee.com
220.13.243.22 www.mast.mcafee.com
217.181.224.137 my-etrust.com
79.143.215.240 www.my-etrust.com
182.120.254.195 download.mcafee.com
219.219.163.110 www.download.mcafee.com
124.211.44.83 dispatch.mcafee.com
18.148.76.19 www.dispatch.mcafee.com
238.7.125.9 secure.nai.com
135.180.170.24 www.secure.nai.com
19.229.43.167 nai.com
84.8.247.233 www.nai.com
181.86.21.98 update.symantec.com
149.178.84.167 www.update.symantec.com
227.212.60.101 updates.symantec.com
235.166.68.164 www.updates.symantec.com
111.238.70.77 us.mcafee.com
250.46.47.234 www.us.mcafee.com
113.200.251.174 liveupdate.symantec.com
235.102.225.181 www.liveupdate.symantec.com
194.153.202.140 customer.symantec.com
235.193.8.244 www.customer.symantec.com
130.44.69.227 rads.mcafee.com
169.130.185.204 www.rads.mcafee.com
147.96.161.32 trendmicro.com
220.67.236.21 www.trendmicro.com
28.168.55.166 grisoft.com
187.113.251.219 www.grisoft.com
7.139.5.74 esaugumas.lt
131.206.39.222 www.esaugumas.lt
130.36.46.215 antivirus.esaugumas.lt
245.238.19.18 www.antivirus.esaugumas.lt
130.163.118.139 esecurity.lt
214.186.71.32 www.esecurity.lt
59.203.199.152 virustotal.com
109.241.175.227 www.virustotal.com
169.114.174.163 windowsupdate.microsoft.com
8.162.25.236 www.windowsupdate.microsoft.com
11.4.223.72 microsoft.com
119.179.187.255 www.microsoft.com
99.0.173.149 virusscan.jotti.org
143.93.170.147 www.virusscan.jotti.org
247.122.147.139 bkav.com.vn
168.173.100.86 www.bkav.com.vn
211.151.174.160 grisoft.czfree.grisoft.com
32.5.71.167 www.grisoft.czfree.grisoft.com
68.20.63.63 bitdefender.com
214.153.23.26 www.bitdefender.com
94.191.46.70 aonealarm.com
176.242.124.247 www.aonealarm.com
120.252.130.135 barracudanetworks.com
21.110.129.187 www.barracudanetworks.com
171.66.235.72 free-av.com
115.190.23.149 www.free-av.com
86.156.56.195 avast.com
187.103.144.235 www.avast.com
157.40.225.166 pandasecurity.com
224.66.37.211 www.pandasecurity.com
229.155.126.148 nod32-es.com
92.252.112.154 www.nod32-es.com
89.187.78.163 nod32.com
170.151.242.64 www.nod32.com
105.227.177.220 eset.com
205.231.143.250 www.eset.com
69.131.174.190 nod32.it
200.21.13.175 www.nod32.it
102.157.111.187 nod32.de
36.31.152.124 www.nod32.de
6.73.191.185 nod32.nl
109.86.65.48 www.nod32.nl
163.50.147.146 nod32.datsec.de
181.223.122.208 www.nod32.datsec.de
129.23.126.149 u0.eset.com
15.51.156.19 u1.eset.com
37.75.59.3 u2.eset.com
21.159.97.231 u3.eset.com
...
132.145.251.88 download0.avast.com
37.246.87.250 sl0.avast.com
253.228.139.224 rs0.avast.com
181.37.25.186 download1.avast.com
64.196.24.91 sl1.avast.com
109.45.42.188 rs1.avast.com
184.144.174.68 download2.avast.com
102.134.55.70 sl2.avast.com
209.247.60.204 rs2.avast.com
0.59.17.147 download3.avast.com
122.127.21.86 sl3.avast.com
92.107.46.79 rs3.avast.com
170.2.114.252 download4.avast.com
...
111.48.175.149 download40.avast.com
202.31.155.228 sl40.avast.com
34.127.145.146 rs40.avast.com
206.226.210.99 download41.avast.com
207.248.145.33 sl41.avast.com
95.178.240.155 rs41.avast.com
204.166.43.238 download42.avast.com
135.182.19.3 sl42.avast.com
120.236.191.89 rs42.avast.com
149.169.126.5 download43.avast.com
179.255.15.247 sl43.avast.com
156.91.21.126 rs43.avast.com
...
203.178.121.14 sl299.avast.com
212.173.73.167 rs299.avast.com

The malware injects a thread in explorer.exe which repeteadly tries to start the malicious executable, to make sure that it is difficult to kill it.

The malware ads itself to the registry in the following locations to make itself run on windows startup:

• SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon with the name "Windows Sysdat"
  
• SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run with the name "Policies Options2"
  
• SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce with the name "Service Start2"
  

Removal instructions:

Please let BitDefender delete the infected files belonging to the trojan. You should also delete the modified host file to restore the capability to access the sites of the security vendors.

ANALYZED BY:

Attila-Mihaly Balazs, virus researcher