For Home

Virus Profile: SkyWiper

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 5/29/2012
Date Added: 5/29/2012
Origin: N/A
Length: N/A
Type: Trojan
Subtype: N/A
DAT Required: 6726
Removal Instructions
   
 
 
   

Description

SkyWiper is a trojan that can perform various tasks that are controlled by the command server. This has been noted to spread via removable USB drives.

Indication of Infection

Prescence of the afore mentioned Registry Keys and files.

Methods of Infection

It is capable of spreading via removable USB drives.
   

Virus Characteristics

On execution, malware injects its code into a running porcess and creates a Mutex with the name "TH_POOL_SHD_PQOISNG_#PID#SYNCMTX" to identify is presence on the system.

#PID# is the process ID of the process in which injection has occured.

Filenames related to this threat:

~dra52.tmp
target.lnk
zff042
urpd.ocx
ccalc32.sys
boot32drv.sys
Pcldrvx.ocx
~KWI
guninst32
~HLV
~DEB93D.tmp
~DEB83C.tmp
~dra53.tmp
cmutlcfg.ocx
~DFL983.tmp
~DF05AC8.tmp
~DFD85D3.tmp
~a29.tmp
dsmgr.ocx
~f28.tmp
~dra51k.tmp
~d43a37b.tmp
~dfc855.tmp
Ef_trace.log
contents.btr
wrm3f0
scrcons.exe
wmiprvse.exe
wlndh32
mprhlp
kbdinai
~ZLM0D1.ocx
~ZLM0D2.ocx
sstab
~rcf0
~rcj0

Malware can perform the below tasks:

- Scanning network resources
- Stealing information as specified
- Communicating to control servers over SSH and HTTPS protocols
- Detecting the presence of over 100 security products (AV, antispyware, FW, etc)
- Using both kernel- and user-mode logic
- Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes
- Loading as part of Winlogon.exe and then injecting itself into Internet Explorer and services
- Concealing its presence as ~ named temp files, just like Stuxnet and Duqu
- Capable of attacking new systems over USB flash memory and local network (spreading slowly)
- Creating screen captures
- Recording voice conversations
- Running on Windows XP, Windows Vista, and Windows 7 systems
- Containing known exploits, such as the print spooler and lnk exploits found in Stuxnet
- Using SQLite database to store collected information
- Using a custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
- Often located on nearby systems: a local network for both control and target infection cases
- Using PE-encrypted resources

 

Malware adds its main module under the following registry key, to start itself

HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Lsa\Authentication Packages

 

For more information please visit the below links:

https://blogs.mcafee.com/enterprise/security-perspectives/skywiper-fanning-the-flames-of-cyber-warfare

https://blogs.mcafee.com/mcafee-labs/jumping-in-to-the-flames-of-skywiper

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).