Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Dulkis.A

Overview

Threat Risk MEDIUM MEDIUM
Destructivity Unknown UNKNOWN
Payload Download malware, compromise system security
Detection files published 25 Jul 2010 03:00:00
Description created 25 Jul 2010 03:12:00
Description updated 02 Aug 2010 03:12:00
Malware type WORM
Alias W32/Dulkis-A (Sophos)
Worm.Win32.VBNA.albk (Kaspersky)
WORM_VOBFUS.AI (Trendmicro)
Worm:Win32/Vobfus.H (Microsoft)
Spreading mechanism NETWORK
OTHER
Summary

W32/Dulkis.A

Spreading

The Worm can spread across computer networks through security holes on vulnerable machines connected to the network and also through email by sending copies of itself to everyone in the user's address book.

It does this by dropping shortcut files (.LNK) that automatically run when the removable drive is accessed using an application that displays shortcut icons.

It is capable of dropping and installing other components, injecting code into currently-running processes, and allowing backdoor access and control to the infected computer.
For more Information Exploits for .LNK vulnerability are growing fast (Lumension Security Advisory) Microsoft Security Bulletin MS10-046 - Critical (with links to downloading security updates)

Payload Details

On execution it drops a “[Random].exe? file in the Root drive%\ Documents and Settings\%user profile% folder and drops a malicious executable file named “autorun.inf? in any connected removable media storage. And it is coping itself in removable media.
The following files were created in the time of executing Dulkis.A
c:\Documents and Settings\norman\a.exe
c:\Documents and Settings\norman\alg.exe
c:\Documents and Settings\norman\fuayub.exe
c:\Documents and Settings\norman\r.exe
c:\Documents and Settings\norman\s.exe
c:\Documents and Settings\norman\t.exe
c:\Documents and Settings\norman\tuogaay.exe
c:\Documents and Settings\norman\u.exe
c:\Documents and Settings\norman\USB\...lnk
c:\Documents and Settings\norman\USB\..lnk
c:\Documents and Settings\norman\USB\autorun.inf
c:\Documents and Settings\norman\USB\Documents.lnk
c:\Documents and Settings\norman\USB\guejuu.exe
c:\Documents and Settings\norman\USB\guejuu.scr
c:\Documents and Settings\norman\USB\Music.lnk
c:\Documents and Settings\norman\USB\New Folder.lnk
c:\Documents and Settings\norman\USB\Passwords.lnk
c:\Documents and Settings\norman\USB\Pictures.lnk
c:\Documents and Settings\norman\USB\Video.lnk
c:\Documents and Settings\norman\USB\x.exe
c:\Documents and Settings\norman\USB\xxx.dll
c:\Documents and Settings\norman\USB\zaZ.lnk
c:\Documents and Settings\norman\USB\zbG.lnk
c:\Documents and Settings\norman\USB\zCI.lnk
c:\Documents and Settings\norman\USB\zdj.lnk
c:\Documents and Settings\norman\USB\zmf.lnk
c:\Documents and Settings\norman\USB\zmJ.lnk
c:\Documents and Settings\norman\USB\zQy.lnk
c:\Documents and Settings\norman\USB\zsb.lnk
c:\Documents and Settings\norman\USB\zSi.lnk
c:\Documents and Settings\norman\Local Settings\Temp\3.tmp
c:\Documents and Settings\norman\Local Settings\Temp\4.tmp
c:\WINDOWS\wut4232.dll
The following registry created/modified in the time of executing Dulkis.A
HKCU\Software\Microsoft\Windows\CurrentVersion\Run "guejuu"
Data: C:\Documents and Settings\norman\guejuu.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run "Mzopuqumof"   Data: rundll32.exe "C:\WINDOWS\wut4232.dll",Startup
HKCU\Software\Microsoft\Windows\CurrentVersion\Run "tuogaay"
Data: C:\Documents and Settings\norman\tuogaay.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0x00000000
W32/Dulkis.A creates exploited link (.lnk) files to any attached removable storage media. The exploited link files point to the file xxx.dll.
Lumension has complete removal for Dulkis.A malware infection.
3.tmp/4.tmp is detected as TDSS
Wut4232.dll is detected as Hiloti
Exe files is detected as AutoRun
[XXX].lnk is detected as LNK/CplLnk.A
Other LNK files is detected as Exploit/CVE-2010-2568.A
xxx.dll is detected as W32/Dulkis.A

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:09