HomeBlogsDave Keays's blog

Taterf worm

Sun, 06/22/2008 - 00:05 — Dave Keays

Win32/Taterf is a password stealing worm that targets online gaming so the virtual property can be sold for real money. While it's been around since April, it surprised Microsoft when they first started detecting it in June.

Win32/Taterf is a variant of Frethog

aliases

  • Kaspersky: Packed.Win32.NSAnti.r
  • McAfee: New Malware.hz
  • Symantec: Infostealer.Gampass
  • Avira: TR/Crypt.NSPM.Gen
  • Sophos: Mal/Behav-204

Also detected as

  • VirTool:Win32/Vanti.A
  • VirTool:Win32/Vanti.B
  • VirTool:Win32/Obfuscator.T
  • Worm:Win32/Taterf!inf

Techniques used include:

  • injecting the virus into the gaming client
  • changing the registry
  • running at reboot
  • running when a removable drive is inserted
  • running when Windows Explorer displays a direcotry
  • running when a remote drive over a network is mapped
  • keylogging

steps it takes during the initial infection

  1. drops the file ntde1ect.com in the temp folder
  2. copies itself and a DLL to the system directory of the drive
  3. copies itself and a DLL to the root directory of all drives as 'ntde1ect.com'
  4. sets boot time autorun in registry
  5. sets autorun with an 'autorun.inf' in the root of all drives
  6. changes settings to allow autorun
  7. changes settings to not show hidden files
  8. executes the file in the temp folder

triggers spreading

  • put a removable device in another machine
  • display the root directory in Windows Explorer
  • map a network drive

contents of autorun.inf

[Autorun]
open=ntde1ect.com
;shell\open=Open(&0)
shell\open\Command=utdetect.cm
shell\open\Default=1
;shell\explore=Manager(&X)
shell\explore\Command=utdetect.com

A break down of infection sources by country
China: 529,003
Taiwan: 279,428
Spain: 235,381
US 213,374
Korea 184,306

protection

  • keep your OS and anti-virus up-to-date
  • always run your anti-virus
  • disable Explorers 'autoplay'
    • Vista use Control Panel
    • pre-vista (requires admin rights)
    • 'gpedit.msc' -> administrative templates -> system
      or you coule use registry hacks or TweakUI
    • hold down the "shift" key when you insert a USB device

file names used

  • amvo.exe
  • kavo.exe
  • awda.exe
  • avpo.exe
  • amvo.dll
  • avpo.dll
  • kavo.dll

some registry changes

  • subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    adds one of the folowing

    • value: "amvo";
      data: [system folder] amvo[number].exe
    • value: "kavo"
      data: [system folder] kavo[number].exe
    • value: awda
      data: [system folder]
      "awda[number].exe
    • value: avpo"kavo
      data: [system folder]
      "avpo[number].exe
    • value: amvo"kavo
      data: [system folder]
      "amvo[number].dll
    • value: avpo"kavo
      data: [system folder]
      "avpo[number].dll
    • value: kavo
      data: [system folder]
      "kavokavo[number].dll

    adds value: "amva"
    data: "\amvo.exe"

  • subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Adds value: "avpa"
    data: "\avpo.exe"

system setting changes:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun\
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden\0
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
  • HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\S
  • HOWALL\CheckedValue

removal

  1. turn off system restore in Windows ME and XP
  2. restart in Safe Mode
  3. remove Autostart entries in the registry
    1. navigate to: HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run
    2. delete the following entries
      • amvo = "%System%\amvo.exe"
      • kavo = "%System%\kavo.exe"
      • awda = "%System%\awda.exe"
      • avpo = "%System%\avpo.exe"
  4. remove registry entries to hide the file
    1. navigate to: HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>
      Explorer>Advanced
      change the entry "Hidden = 2" to "Hidden = 1"
    2. navigate to: KCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
      change the entry "ShowSuperHidden = 0" to "ShowSuperHidden = 1"
    3. navigate to: HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
      Explorer>Advanced>Folder>Hidden>SHOWALL
      change the entry "CheckedValue = 0" to "CheckedValue = 1"
  5. delete the malware files using SHIFT/DELETE (don't send to the recycle bin)
    • amvo.exe
    • kavo.exe
    • awda.exe
    • avpo.exe
    • amvo.dll
    • avpo.dll
    • kavo.dll
  6. Deleting Malware-created AUTORUN.INF/s
  7. delete malware created AUTORUN.INF in every drive used
  8. the AUTORUN.INF is malware created if it contains the following lines

    [Autorun]
    open=ntde1ect.com
    ;shell\open=Open(&0)
    shell\open\Command=utdetect.cm
    shell\open\Default=1
    ;shell\explore=Manager(&X)
    shell\explore\Command=utdetect.com

references
http://www.microsoft.com/security/portal/Entry.aspx?name=Win32%2fTaterf

http://blogs.technet.com/mmpc/archive/2008/06/20/taterf-all-your-drives-...

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_TAT...

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options