Virus Profile: W32/Caffer@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 2/21/2008
Date Added: 2/21/2008
Origin: N/A
Length: N/A
Type: Virus
Subtype: Email Worm
DAT Required: 5235
Removal Instructions
   
 
 
   

Description

-- Update February 21, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.repubblica.it/2008/02/sezioni/cronaca/truffa-mail/truffa-mail/truffa-mail.html

An English translation is available here

--

W32/Caffer@MM is a mass mailer with downloading capabilities.

Indication of Infection

  • unexpected network behaviour
  • presence of hidden directory c:\windows\system32\3ComNet\service
  • presence of process svcnost.exe
  • presence of file c:\windows\system32\3ComNet\service\svcnost.exe
  • antivirus and firewall prompting the user for suspicious files and network activity

Methods of Infection

Executing the file hosted on the website linked in the malicious email will initiate the malicious behaviour. Additionally, users with low security settings may be infected by just visiting the malicious website.
   

Virus Characteristics

-- Update February 21, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.repubblica.it/2008/02/sezioni/cronaca/truffa-mail/truffa-mail/truffa-mail.html

An English translation is available here

--

The malware is compressed with Npack in order to protect its behaviour from too interested eyes. As soon as the decoding process is completed, the malware will proceed in adding the following registry values.


  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\domains\co****str**a.com\(default) = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\domains\co****str**a.com\www\(default) = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\domains\co****str**a.com\www\* = 2
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\(default) = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1001 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1004 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1201 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1402 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1405 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1406 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1407 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609 = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1800 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1803 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\MinLevel = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\RecommendedLevel = 0

After this, the malware will retrieve the data POP3 server, SMTP server, POP3 User name and SMTP Email address. After this operation, the malware will create the folders:


  • C:\Windows\System32\3ComNet
  • C:\Windows\System32\3ComNet\Service

and will modify their attributes to make them hidden. It will then copy itself as C:\Windows\System32\3ComNet\service\svcnost.exe and add the following registry key to make sure that the malware will get spawned every time that the user logs on:


  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svcnost.exe - c:\windows\system32\3ComNet\service\svcnost.exe

The malware will then download additional malware from http://www.co****str***.com and will save it as:

  • C:\system.exe

Such malware is then immediately executed, and is already detected by McAfee. In addition to this, the malware will spawn the copy of itself stored under C:\Windows\System32\3ComNet\service and then delete itself from disk. The copy of itself that has just been started, however will download the required data (body.txt and subject.txt) to start its spam operations and proceed in doing so.



   
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations