Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Solame.A


Threat Risk LOW LOW
Destructivity LOW LOW
Detection files published
Description created 17 Mar 2006 04:13:00
Description updated 17 Mar 2006 04:13:00
Malware type WORM
Alias Backdoor.Win32.Agent.n((Kaspersky)
W32.Solame.A (Symantec)
Spreading mechanism NETWORK
Summary None



The worm spreads by trying to send itself to random ip's via proxy port 3127, which was used by i.ex. the W32/MyDoom - worm. When it succeeds in connecting to IP it tries to run itselft using built-in commands.
Changes to filesystem:
The worm copies itself to "%root%\WINDOWS\SYSTEM32\msdspr.exe"
Creates the file          "C:\WINDOWS\TEMP\%randomname%.bat"(i.ex. 319.bat) which is a batch-file that will delete the worm from the location it was ran from, after copying itself to "%root%\WINDOWS\%systemfolder%\msdspr.exe".
Changes to registry:
Sets value "Windows Automation"="msdspr.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" to ensure running on startup.
Sets value "Windows Automation"="msdspr.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices" which will run the process of the worm before logging into Windows 95, Windows 98, and Windows Me.
Network services
Connects to "randomly generated IP" on port 3127 (IP) which the worm does until it is terminated manually by killing it's process tree.
Connects to various IRC- channels and automatically harasses other IRC-users by sending them foul language private messages and running IRC- script commandoes i.e. "KICK" to bother other IRC- users.

Payload Details

Potentially fast spreading via unpatched proxies. If the proxy port 3127 is open, the worm will exploit this.
Process/window information
Will automatically restart after boot.
Attemps to open C:\WINDOWS\TEMP\\319.bat NULL.
Creates a mutex msdspr.exe which is a synchronization object that will ensure mutiple instances of the worm not running on the infected machine.





Last Updated: 12 Nov 2015 11:06:11