W32/Dulkis.A
Threat risk
|
Detection files published:
2010-07-26 |
Description created:
2010-07-26 |
Description updated:
2010-08-03 |
|
Alias:
W32/Dulkis-A (Sophos), Worm.Win32.VBNA.albk (Kaspersky), WORM_VOBFUS.AI (Trendmicro), Worm:Win32/Vobfus.H (Microsoft) |
Spreading mechanism
Network, Other | |
|
Payload:
Download malware, compromise system security | ||
Summary
W32/Dulkis.A is a Windows worm, written in obfuscated Visual Basic.
Spreading description
The Worm can spread across computer networks through security holes on vulnerable machines connected to the network and also through email by sending copies of itself to everyone in the user's address book.
It does this by dropping shortcut files (.LNK) that automatically run when the removable drive is accessed using an application that displays shortcut icons.
It is capable of dropping and installing other components, injecting code into currently-running processes, and allowing backdoor access and control to the infected computer.
For more Information
- Exploits for .LNK vulnerability are growing fast (Norman Security Advisory)
- Microsoft Security Bulletin MS10-046 - Critical (with links to downloading security updates)
Threat description
On execution it drops a “[Random].exe” file in the Root drive%\ Documents and Settings\%user profile% folder and drops a malicious executable file named “autorun.inf” in any connected removable media storage. And it is coping itself in removable media.
The following files were created in the time of executing Dulkis.A
c:\Documents and Settings\norman\a.exe
c:\Documents and Settings\norman\alg.exe
c:\Documents and Settings\norman\fuayub.exe
c:\Documents and Settings\norman\r.exe
c:\Documents and Settings\norman\s.exe
c:\Documents and Settings\norman\t.exe
c:\Documents and Settings\norman\tuogaay.exe
c:\Documents and Settings\norman\u.exe
c:\Documents and Settings\norman\USB\...lnk
c:\Documents and Settings\norman\USB\..lnk
c:\Documents and Settings\norman\USB\autorun.inf
c:\Documents and Settings\norman\USB\Documents.lnk
c:\Documents and Settings\norman\USB\guejuu.exe
c:\Documents and Settings\norman\USB\guejuu.scr
c:\Documents and Settings\norman\USB\Music.lnk
c:\Documents and Settings\norman\USB\New Folder.lnk
c:\Documents and Settings\norman\USB\Passwords.lnk
c:\Documents and Settings\norman\USB\Pictures.lnk
c:\Documents and Settings\norman\USB\Video.lnk
c:\Documents and Settings\norman\USB\x.exe
c:\Documents and Settings\norman\USB\xxx.dll
c:\Documents and Settings\norman\USB\zaZ.lnk
c:\Documents and Settings\norman\USB\zbG.lnk
c:\Documents and Settings\norman\USB\zCI.lnk
c:\Documents and Settings\norman\USB\zdj.lnk
c:\Documents and Settings\norman\USB\zmf.lnk
c:\Documents and Settings\norman\USB\zmJ.lnk
c:\Documents and Settings\norman\USB\zQy.lnk
c:\Documents and Settings\norman\USB\zsb.lnk
c:\Documents and Settings\norman\USB\zSi.lnk
c:\Documents and Settings\norman\Local Settings\Temp\3.tmp
c:\Documents and Settings\norman\Local Settings\Temp\4.tmp
c:\WINDOWS\wut4232.dll
The following registry created/modified in the time of executing Dulkis.A
HKCU\Software\Microsoft\Windows\CurrentVersion\Run "guejuu"
Data: C:\Documents and Settings\norman\guejuu.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run "Mzopuqumof" Data: rundll32.exe "C:\WINDOWS\wut4232.dll",Startup
HKCU\Software\Microsoft\Windows\CurrentVersion\Run "tuogaay"
Data: C:\Documents and Settings\norman\tuogaay.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0x00000000
W32/Dulkis.A creates exploited link (.lnk) files to any attached removable storage media. The exploited link files point to the file xxx.dll.
Norman has complete removal for Dulkis.A malware infection.
3.tmp/4.tmp is detected as TDSS
Wut4232.dll is detected as Hiloti
Exe files is detected as AutoRun
[XXX].lnk is detected as LNK/CplLnk.A
Other LNK files is detected as Exploit/CVE-2010-2568.A
xxx.dll is detected as W32/Dulkis.A
Removal
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Användning | Titel | Kommentar |
|---|---|---|
| Förhindra smitta genom fildelning i nätverk | ||
| Sanering av back-up foldrar i Windows Me och XP |
