A forum for reverse engineering, OS internals and malware analysis 

Worm:Win32/Pykspa

Forum for analysis and discussion about malware.

Worm:Win32/Pykspa

 #17546  by EP_X0FF
 Wed Jan 02, 2013 7:42 am
Very viable worm found today while scanning some 3G based network. From about 5K of computers in network most were infected with this worm. Some of infected machines "protected" by various paid AV solutions (however their state were unknown).

Complete description (including self-distribution methods with funny WinRAR trick)

Worm
Dropper
Attachments
pass: malware
(571.96 KiB) Downloaded 94 times

Re: Worm:Win32/Pykspa

 #17562  by B-boy/StyLe/
 Thu Jan 03, 2013 9:36 am
Yes, this was very active in the past as well.
It was known or recognized as: Trojan Vilsel, Win32.Chydo, Win32/Killav.DR, Win32/AutoRun.Agent.UA/Win32/AutoRun.Agent.TG

It used a ton of hidden files with strange extensions:
PRC - C:\WINDOWS\system32\aqnergfsoxemmjcem.exe ()
O4 - HKLM..\Run: [uanuxcr] C:\WINDOWS\System32\jayqeuuifpxghfzclc.exe ()
O4 - HKU\S-1-5-21-117609710-2147117837-839522115-1003..\Run: [tcsciqiodf] C:\WINDOWS\System32\wqrmdwzqqdoaefciuopkb.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: aixglsjoc = aqnergfsoxemmjcem.exe ()
[2009.12.24 13:27:39 | 00,573,440 | RHS- | M] () -- C:\WINDOWS\wqrmdwzqqdoaefciuopkb.exe
[2009.12.24 13:27:39 | 00,573,440 | RHS- | M] () -- C:\WINDOWS\umletklayjscedycmed.exe
[2009.12.24 13:27:39 | 00,573,440 | RHS- | M] () -- C:\WINDOWS\nikgyswopdpchjhobwyumg.exe
[2009.12.24 13:27:39 | 00,573,440 | RHS- | M] () -- C:\WINDOWS\jayqeuuifpxghfzclc.exe
[2009.12.24 13:27:39 | 00,573,440 | RHS- | M] () -- C:\WINDOWS\haaukceutfpaddzepiic.exe
[2009.12.24 13:27:39 | 00,573,440 | RHS- | M] () -- C:\WINDOWS\aqnergfsoxemmjcem.exe
[2009.12.24 13:27:38 | 00,573,440 | RHS- | M] () -- C:\WINDOWS\tieugusezhnutphi.exe
[2009.12.24 13:27:19 | 00,000,650 | -H-- | M] () -- C:\WINDOWS\tcsciqiodffgzpbwxgwgmumshjjkdtfa.kak
[2009.12.24 13:27:19 | 00,000,650 | -H-- | M] () -- C:\WINDOWS\System32\tcsciqiodffgzpbwxgwgmumshjjkdtfa.kak
[2009.12.24 13:27:19 | 00,000,650 | -H-- | M] () -- C:\Program Files\tcsciqiodffgzpbwxgwgmumshjjkdtfa.kak
[2009.12.24 13:27:19 | 00,000,650 | -H-- | M] () -- C:\Documents and Settings\MARIAN\Local Settings\Application Data\tcsciqiodffgzpbwxgwgmumshjjkdtfa.kak
[2009.12.24 13:27:19 | 00,000,280 | -H-- | M] () -- C:\WINDOWS\xwccyweafxnentvgxwccyw.afx
[2009.12.24 13:27:19 | 00,000,280 | -H-- | M] () -- C:\WINDOWS\System32\xwccyweafxnentvgxwccyw.afx
[2009.12.24 13:27:19 | 00,000,280 | -H-- | M] () -- C:\Program Files\xwccyweafxnentvgxwccyw.afx
[2009.12.24 13:27:19 | 00,000,280 | -H-- | M] () -- C:\Documents and Settings\MARIAN\Local Settings\Application Data\xwccyweafxnentvgxwccyw.afx
[2009.12.24 13:27:08 | 00,001,332 | -H-- | M] () -- C:\WINDOWS\System32\kwpclwrasxaeatigkwpclwrasxaeatigkwp.lwr
[2009.12.24 13:27:08 | 00,001,332 | -H-- | M] () -- C:\WINDOWS\kwpclwrasxaeatigkwpclwrasxaeatigkwp.lwr
[2009.12.24 13:27:08 | 00,001,332 | -H-- | M] () -- C:\Program Files\kwpclwrasxaeatigkwpclwrasxaeatigkwp.lwr
[2009.12.24 13:27:08 | 00,001,332 | -H-- | M] () -- C:\Documents and Settings\MARIAN\Local Settings\Application Data\kwpclwrasxaeatigkwpclwrasxaeatigkwp.lwr
[2009.12.24 13:22:59 | 00,573,440 | RHS- | M] () -- C:\WINDOWS\System32\wqrmdwzqqdoaefciuopkb.exe
[2009.12.24 13:22:59 | 00,573,440 | RHS- | M] () -- C:\WINDOWS\System32\umletklayjscedycmed.exe
[2009.12.24 13:22:59 | 00,573,440 | RHS- | M] () -- C:\WINDOWS\System32\tieugusezhnutphi.exe
[2009.12.24 13:22:59 | 00,573,440 | RHS- | M] () -- C:\WINDOWS\System32\nikgyswopdpchjhobwyumg.exe
[2009.12.24 13:22:59 | 00,573,440 | RHS- | M] () -- C:\WINDOWS\System32\jayqeuuifpxghfzclc.exe
[2009.12.24 13:22:59 | 00,573,440 | RHS- | M] () -- C:\WINDOWS\System32\haaukceutfpaddzepiic.exe
[2009.12.24 13:22:59 | 00,573,440 | RHS- | M] () -- C:\WINDOWS\System32\aqnergfsoxemmjcem.exe
[2009.12.24 13:14:17 | 00,000,138 | -H-- | M] () -- C:\WINDOWS\System32\lysgqcyibhlqnhxwboiwgsoyrxbgdxnmreym.ieo
[2009.12.24 13:14:17 | 00,000,138 | -H-- | M] () -- C:\WINDOWS\lysgqcyibhlqnhxwboiwgsoyrxbgdxnmreym.ieo
[2009.12.24 13:14:17 | 00,000,138 | -H-- | M] () -- C:\Program Files\lysgqcyibhlqnhxwboiwgsoyrxbgdxnmreym.ieo
[2009.12.24 13:14:17 | 00,000,138 | -H-- | M] () -- C:\Documents and Settings\MARIAN\Local Settings\Application Data\lysgqcyibhlqnhxwboiwgsoyrxbgdxnmreym.ieo
[2009.12.24 13:13:48 | 00,004,248 | -H-- | M] () -- C:\WINDOWS\System32\oypahqjqgjkmgxkgisjubkdkadegareac.dov
[2009.12.24 13:13:48 | 00,004,248 | -H-- | M] () -- C:\WINDOWS\oypahqjqgjkmgxkgisjubkdkadegareac.dov
[2009.12.24 13:13:48 | 00,004,248 | -H-- | M] () -- C:\Program Files\oypahqjqgjkmgxkgisjubkdkadegareac.dov
[2009.12.24 13:13:48 | 00,004,248 | -H-- | M] () -- C:\Documents and Settings\MARIAN\Local Settings\Application Data\oypahqjqgjkmgxkgisjubkdkadegareac.dov
Image

Let me know if you still want some samples. I should have almost 10 of it. :)


Regards,
Georgi
 Return to “Malware”