Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Dinoxi.A

Overview

Threat Risk NONE NONE
Destructivity LOW LOW
Payload Deletes and disables system files
Detection files published 01 Mar 0200 03:00:00
Description created 07 Mar 2006 06:50:00
Description updated 07 Mar 2006 06:50:00
Malware type WORM
Alias IM-Worm.Win32.Vizim.a (Kaspersky)
Spreading mechanism NETWORK
Summary None

W32/Dinoxi.A

Spreading

The worm spreads by attaching itself to messages sent to contacts on the AOL-Messenger Buddylist on the infected machine.

It will show a link in the messenger window of the contacted person:

"Cool hacking programs!"
or
"Funniest clip ever!"
Both these links to a website where you can download the worm as the file "a.exe".

File changes on the infected machine:

Creates the file "C:\DOCUMENTS AND SETTINGS\%username%\LOCAL SETTINGS\Temp\%random%.tmp" 16 384 bytes in size.

Copies itself to "c:\CodeBlack.exe"
Copies itself to "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CodeBlack.exe"
Copies itself to "C:\WINDOWS\system32\CodeBlack.exe"
It also overwrites random files on the hard-drive with itself.

Deletes the file "C:\WINDOWS\system32\Restore\rstrui.exe" System Restore
Deletes the file "C:\WINDOWS\system32\taskmgr.exe" Task Manager
Deletes the file "C:\WINDOWS\system32\cmd.exe" Dos Command Prompt
Deletes the file "C:\WINDOWS\system32\dllcache\msconfig.exe"
Deletes the file "C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe"

Changes to registry:

Sets value "0100" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun"
which unables the user to turn of the computer

Sets value "0100" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose"
which unables the user to restart the computer

Sets value "0100" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff"
which unables the user to log off the computer

Sets value "a website" in key "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page"
To make that website the start page of Internet Explorer and ensure that the user downloads the file a.exe.

Sets Value "a href="website"
in key "HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\IAmGoneList\GoneMsg0001"
which is displayed as a link in the AOL Messenger user window.

Sets Value "website"in key "HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\\IAmGoneList\GoneMsg0001"

For example: "Funniest Clip Ever!" - When clicked it downloads the file a.exe from a website

Sets value "0x1" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr"
which unables the user to open Task Manager -
when you try to open Task Manager a message saying: Task Manager has been disabled by your system administrator.

Sets value "0x1" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
which unables the user to use regedit

Payload Details

Deletes the file "C:\WINDOWS\system32\Restore\rstrui.exe" System Restore
Deletes the file "C:\WINDOWS\system32\taskmgr.exe" Task Manager
Deletes the file "C:\WINDOWS\system32\cmd.exe" Dos Command Prompt
Deletes the file "C:\WINDOWS\system32\dllcache\msconfig.exe"
Deletes the file "C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe"

Opens port 32770 on the infected machine, which can be used as a backdoor.

It changes keys in the registry which unables the user to turn off or restart the machine without doing so by directly switching of the power-button.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:10