Names,aliases:
Win32/Kashu (AhnLab-V3), W32/Kashu.A (AntiVir), W32/Sality.AE (Authentium), Win32.Kashu.A (BitDefender), W32.Sality.R (CAT-QuickHeal), Win32.Sector.4 (DrWeb), Win32/Sality.V (eTrust-Vet), W32/Sality.AM@mm (Fortinet), W32/Sality.AE (F-Prot), W32/Kashu.A (F-Secure), Trojan-Dropper.Win32.Microjoin.R (Ikarus), Virus.Win32.Sality.v (Kaspersky), W32/Sality.ad (McAfee), Virus:Win32/Sality.AH (Microsoft), probably a variant of Win32/Sality.AB (NOD32v2), W32/Kashu.A (Norman), W32/Sality-AM (Sophos), W32.Sality.AB (Symantec), Trojan.Win32.KillAV.nh (VBA32), Win32.Sality.AI (VirusBuster), Win32.Kashu.A (Webwasher-Gateway)
Behavior:
PE-file infector. After dissables firewall and antivirus software, it downloads additional components.
Description:
When executed, Win32/Tanatos drops the following files:
[RANDOM] is a random number.
%System%\[RANDOM].dll
%System%\[RANDOM].dl_
%System%\drivers\[RANDOM].sys
%Temp%\[RANDOM].tmp
Adds the following entries to the registry:
HKLM\SYSTEM\CurrentControlSet\Services\MCIDRV_2600_6_0
Type=dword:00000001
Start=dword:00000002
ErrorControl=dword:00000001
ImagePath=\??\C:\WINDOWS\system32\drivers\[RANDOM].sys
DisplayName=MCIDRV_2600_6_0
Alters the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline = "0"
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA = "0"
It also enumerates and deletes entries in the following registry subkeys:
HKCU\System\CurrentControlSet\Control\SafeBoot
HKLM\System\CurrentControlSet\Control\SafeBoot
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Win32/Tanatos stores it's personal data in the [MCIDRV_VER] section of SYSTEM.INI file.
The Trojan also stops and deletes the following services:
aswUpdSv
avast! Antivirus
avast! Mail Scanner
avast! Web Scanner
BackWeb Plug-in - 4476822
bdss
BGLiveSvc
BlackICE
CAISafe
ccEvtMgr
ccProxy
ccSetMgr
F-Prot Antivirus Update Monitor
fsbwsys
FSDFWD
F-Secure Gatekeeper Handler Starter
fshttps
FSMA
InoRPC
InoRT
InoTask
ISSVC
KPF4
LavasoftFirewall
LIVESRV
McAfeeFramework
McShield
McTaskManager
navapsvc
NOD32krn
NPFMntor
NSCService
Outpost Firewall main module
OutpostFirewall
PAVFIRES
PAVFNSVR
PavProt
PavPrSrv
PAVSRV
PcCtlCom
PersonalFirewal
PREVSRV
ProtoPort Firewall service
PSIMSVC
RapApp
SmcService
SNDSrvc
SPBBCSvc
Symantec Core LC
Tmntsrv
TmPfw
tmproxy
UmxAgent
UmxCfg
UmxLU
UmxPol
vsmon
VSSERV
WebrootDesktopFirewallDataService
WebrootFirewall
XCOMM
AVP
Connects to the following URLs from where it downloads and executes additional files:
makemegood24.com
perfectchoice1.com
cash-ddt.net
ddr-cash.net
trn-cash.net
money-frn.net
clr-cash.net
xxxl-cash.net
It deletes files with the following extensions:
*.VDB
*.AVC
*.KEY (but only if first three letters are "drw")
Deletes executable files whose name contains any of the following strings:
_AVPM.
A2GUARD.
AAVSHIELD.
AVAST
ADVCHK.
AHNSD.
AIRDEFENSE
ALERTSVC
ALMON.
ALOGSERV
ALSVC.
AMON.
ANTI-TROJAN.
AVZ.
ANTIVIR
ANTS.
APVXDWIN.
ARMOR2NET.
ASHAVAST.
ASHDISP.
ASHENHCD.
ASHMAISV.
ASHPOPWZ.
ASHSERV.
ASHSIMPL.
ASHSKPCK.
ASHWEBSV.
ASWUPDSV.
ATCON.
ATUPDATER.
ATWATCH.
AUPDATE.
AUTODOWN.
AUTOTRACE.
AUTOUPDATE.
AVCIMAN.
AVCONSOL.
AVENGINE.
AVGAMSVR.
AVGCC.
AVGCC32.
AVGCTRL.
AVGEMC.
AVGFWSRV.
AVGNT.
AVGNTDD
AVGNTMGR
AVGSERV.
GUARD.
AVGUPSVC.
AVINITNT.
AVKSERV.
AVKSERVICE.
AVKWCTL.
AVP.
AVP32.
AVPCC.
AVPM.
AVPUPD.
AVSCHED32.
AVSYNMGR.
AVWUPD32.
AVWUPSRV.
AVXMONITOR9X.
AVXMONITORNT.
AVXQUAR.
BACKWEB-4476822.
BDMCON.
BDNEWS.
BDOESRV.
BDSS.
BDSUBMIT.
BDSWITCH.
BLACKD.
BLACKICE.
CAFIX.
CCAPP.
CCEVTMGR.
CCPROXY.
CCSETMGR.
CFIAUDIT.
CLAMTRAY.
CLAMWIN.
CLAW95.
CLAW95CF.
CLEANER.
CLEANER3.
CLISVC.
CMGRDIAN.
CUREIT
DEFWATCH.
DOORS.
DRVIRUS.
DRWADINS.
DRWEB32W.
DRWEBSCD.
DRWEBUPW.
ESCANH95.
ESCANHNT.
EWIDOCTRL.
EZANTIVIRUSREGISTRATIONCHECK.
F-AGNT95.
FAMEH32.
FAST.
FCH32.
FILEMON
FIRESVC.
FIRETRAY.
FIREWALL.
FPAVUPDM.
F-PROT95.
FRESHCLAM.
FRW.
FSAV32.
FSAVGUI.
FSBWSYS.
F-SCHED.
FSDFWD.
FSGK32.
FSGK32ST.
FSGUIEXE.
FSM32.
FSMA32.
FSMB32.
FSPEX.
FSSM32.
F-STOPW.
GCASDTSERV.
GCASSERV.
GIANTANTISPYWAREMAIN.
GIANTANTISPYWAREUPDATER.
GUARDGUI.
GUARDNT.
HREGMON.
HRRES.
HSOCKPE.
HUPDATE.
IAMAPP.
IAMSERV.
ICLOAD95.
ICLOADNT.
ICMON.
ICSSUPPNT.
ICSUPP95.
ICSUPPNT.
IFACE.
INETUPD.
INOCIT.
INORPC.
INORT.
INOTASK.
INOUPTNG.
IOMON98.
ISAFE.
ISATRAY.
ISRV95.
ISSVC.
KAV.
KAVMM.
KAVPF.
KAVPFW.
KAVSTART.
KAVSVC.
KAVSVCUI.
KMAILMON.
KPFWSVC.
KWATCH.
LOCKDOWN2000.
LOGWATNT.
LUALL.
LUCOMSERVER.
LUUPDATE.
MCAGENT.
MCMNHDLR.
MCREGWIZ.
MCUPDATE.
MCVSSHLD.
MINILOG.
MYAGTSVC.
MYAGTTRY.
NAVAPSVC.
NAVAPW32.
NAVLU32.
NAVW32.
NOD32.
NEOWATCHLOG.
NEOWATCHTRAY.
NISSERV
NISUM.
NMAIN.
NOD32
NORMIST.
NOTSTART.
NPAVTRAY.
NPFMNTOR.
NPFMSG.
NPROTECT.
NSCHED32.
NSMDTR.
NSSSERV.
NSSTRAY.
NTRTSCAN.
NTXCONFIG.
NUPGRADE.
NVC95.
NVCOD.
NVCTE.
NVCUT.
NWSERVICE.
OFCPFWSVC.
OUTPOST.
PAV.
PAVFIRES.
PAVFNSVR.
PAVKRE.
PAVPROT.
PAVPROXY.
PAVPRSRV.
PAVSRV51.
PAVSS.
PCCGUIDE.
PCCIOMON.
PCCNTMON.
PCCPFW.
PCCTLCOM.
PCTAV.
PERSFW.
PERTSK.
PERVAC.
PNMSRV.
POP3TRAP.
POPROXY.
PREVSRV.
PSIMSVC.
QHM32.
QHONLINE.
QHONSVC.
QHPF.
QHWSCSVC.
RAVMON.
RAVTIMER.
REALMON.
REALMON95.
RFWMAIN.
RTVSCAN.
RTVSCN95.
RULAUNCH.
SAVADMINSERVICE.
SAVMAIN.
SAVPROGRESS.
SAVSCAN.
SCAN32.
SCANNINGPROCESS.
SCHED.
SDHELP.
SHSTAT.
SITECLI.
SPBBCSVC.
SPHINX.
SPIDERML.
SPIDERNT.
SPIDERUI.
SPYBOTSD.
SPYXX.
SS3EDIT.
STOPSIGNAV.
SWAGENT.
SWDOCTOR.
SWNETSUP.
SYMLCSVC.
SYMPROXYSVC.
SYMSPORT.
SYMWSC.
SYNMGR.
TAUMON.
TBMON.
TC.
TCA.
TCM.
TDS-3.
TEATIMER.
TFAK.
THAV.
THSM.
TMAS.
TMLISTEN.
TMNTSRV.
TMPFW.
TMPROXY.
TNBUTIL.
TRJSCAN.
UP2DATE.
VBA32ECM.
VBA32IFS.
VBA32LDR.
VBA32PP3.
VBSNTW.
VCHK.
VCRMON.
VETTRAY.
VIRUSKEEPER.
VPTRAY.
VRFWSVC.
VRMONNT.
VRMONSVC.
VRRW32.
VSECOMR.
VSHWIN32.
VSMON.
VSSERV.
VSSTAT.
WATCHDOG.
WEBPROXY.
WEBSCANX.
WEBTRAP.
WGFE95.
WINAW32.
WINROUTE.
WINSS.
WINSSNOTIFY.
WRADMIN.
WRCTRL.
XCOMMSVR.
ZATUTOR.
ZAUINST.
ZLCLIENT.
ZONEALARM.
Executables files are infected by appending the code of the virus to the last section. Win32/Tanatos searches for executables on local drives and on the network, however it does not infect files in the following folders:
SYSTEM
AHEAD
Removing:
If you have infected computer connected to a LAN, you need it to unplug from the LAN, and re-connect again in the moment when all computers are clean.
Download the following files rmtanat.exe and rmtanat.nt.
Update AVG and run test of the Windows System folder to schedule the removal of the infected DLL/OCX library on computer restart.
Restart computer, so the DLL/OCX file will be removed.
Thereafter run the removal tool with parameter C:\ to heal the infected files. You can specify more drives (example: rmprepnd C:\ D:\).
Check Firewall and make update of Windows and antivirus software.
Win32/Kashu (AhnLab-V3), W32/Kashu.A (AntiVir), W32/Sality.AE (Authentium), Win32.Kashu.A (BitDefender), W32.Sality.R (CAT-QuickHeal), Win32.Sector.4 (DrWeb), Win32/Sality.V (eTrust-Vet), W32/Sality.AM@mm (Fortinet), W32/Sality.AE (F-Prot), W32/Kashu.A (F-Secure), Trojan-Dropper.Win32.Microjoin.R (Ikarus), Virus.Win32.Sality.v (Kaspersky), W32/Sality.ad (McAfee), Virus:Win32/Sality.AH (Microsoft), probably a variant of Win32/Sality.AB (NOD32v2), W32/Kashu.A (Norman), W32/Sality-AM (Sophos), W32.Sality.AB (Symantec), Trojan.Win32.KillAV.nh (VBA32), Win32.Sality.AI (VirusBuster), Win32.Kashu.A (Webwasher-Gateway)
Behavior:
PE-file infector. After dissables firewall and antivirus software, it downloads additional components.
Description:
When executed, Win32/Tanatos drops the following files:
[RANDOM] is a random number.
%System%\[RANDOM].dll
%System%\[RANDOM].dl_
%System%\drivers\[RANDOM].sys
%Temp%\[RANDOM].tmp
Adds the following entries to the registry:
HKLM\SYSTEM\CurrentControlSet\Services\MCIDRV_2600_6_0
Type=dword:00000001
Start=dword:00000002
ErrorControl=dword:00000001
ImagePath=\??\C:\WINDOWS\system32\drivers\[RANDOM].sys
DisplayName=MCIDRV_2600_6_0
Alters the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline = "0"
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA = "0"
It also enumerates and deletes entries in the following registry subkeys:
HKCU\System\CurrentControlSet\Control\SafeBoot
HKLM\System\CurrentControlSet\Control\SafeBoot
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Win32/Tanatos stores it's personal data in the [MCIDRV_VER] section of SYSTEM.INI file.
The Trojan also stops and deletes the following services:
aswUpdSv
avast! Antivirus
avast! Mail Scanner
avast! Web Scanner
BackWeb Plug-in - 4476822
bdss
BGLiveSvc
BlackICE
CAISafe
ccEvtMgr
ccProxy
ccSetMgr
F-Prot Antivirus Update Monitor
fsbwsys
FSDFWD
F-Secure Gatekeeper Handler Starter
fshttps
FSMA
InoRPC
InoRT
InoTask
ISSVC
KPF4
LavasoftFirewall
LIVESRV
McAfeeFramework
McShield
McTaskManager
navapsvc
NOD32krn
NPFMntor
NSCService
Outpost Firewall main module
OutpostFirewall
PAVFIRES
PAVFNSVR
PavProt
PavPrSrv
PAVSRV
PcCtlCom
PersonalFirewal
PREVSRV
ProtoPort Firewall service
PSIMSVC
RapApp
SmcService
SNDSrvc
SPBBCSvc
Symantec Core LC
Tmntsrv
TmPfw
tmproxy
UmxAgent
UmxCfg
UmxLU
UmxPol
vsmon
VSSERV
WebrootDesktopFirewallDataService
WebrootFirewall
XCOMM
AVP
Connects to the following URLs from where it downloads and executes additional files:
makemegood24.com
perfectchoice1.com
cash-ddt.net
ddr-cash.net
trn-cash.net
money-frn.net
clr-cash.net
xxxl-cash.net
It deletes files with the following extensions:
*.VDB
*.AVC
*.KEY (but only if first three letters are "drw")
Deletes executable files whose name contains any of the following strings:
_AVPM.
A2GUARD.
AAVSHIELD.
AVAST
ADVCHK.
AHNSD.
AIRDEFENSE
ALERTSVC
ALMON.
ALOGSERV
ALSVC.
AMON.
ANTI-TROJAN.
AVZ.
ANTIVIR
ANTS.
APVXDWIN.
ARMOR2NET.
ASHAVAST.
ASHDISP.
ASHENHCD.
ASHMAISV.
ASHPOPWZ.
ASHSERV.
ASHSIMPL.
ASHSKPCK.
ASHWEBSV.
ASWUPDSV.
ATCON.
ATUPDATER.
ATWATCH.
AUPDATE.
AUTODOWN.
AUTOTRACE.
AUTOUPDATE.
AVCIMAN.
AVCONSOL.
AVENGINE.
AVGAMSVR.
AVGCC.
AVGCC32.
AVGCTRL.
AVGEMC.
AVGFWSRV.
AVGNT.
AVGNTDD
AVGNTMGR
AVGSERV.
GUARD.
AVGUPSVC.
AVINITNT.
AVKSERV.
AVKSERVICE.
AVKWCTL.
AVP.
AVP32.
AVPCC.
AVPM.
AVPUPD.
AVSCHED32.
AVSYNMGR.
AVWUPD32.
AVWUPSRV.
AVXMONITOR9X.
AVXMONITORNT.
AVXQUAR.
BACKWEB-4476822.
BDMCON.
BDNEWS.
BDOESRV.
BDSS.
BDSUBMIT.
BDSWITCH.
BLACKD.
BLACKICE.
CAFIX.
CCAPP.
CCEVTMGR.
CCPROXY.
CCSETMGR.
CFIAUDIT.
CLAMTRAY.
CLAMWIN.
CLAW95.
CLAW95CF.
CLEANER.
CLEANER3.
CLISVC.
CMGRDIAN.
CUREIT
DEFWATCH.
DOORS.
DRVIRUS.
DRWADINS.
DRWEB32W.
DRWEBSCD.
DRWEBUPW.
ESCANH95.
ESCANHNT.
EWIDOCTRL.
EZANTIVIRUSREGISTRATIONCHECK.
F-AGNT95.
FAMEH32.
FAST.
FCH32.
FILEMON
FIRESVC.
FIRETRAY.
FIREWALL.
FPAVUPDM.
F-PROT95.
FRESHCLAM.
FRW.
FSAV32.
FSAVGUI.
FSBWSYS.
F-SCHED.
FSDFWD.
FSGK32.
FSGK32ST.
FSGUIEXE.
FSM32.
FSMA32.
FSMB32.
FSPEX.
FSSM32.
F-STOPW.
GCASDTSERV.
GCASSERV.
GIANTANTISPYWAREMAIN.
GIANTANTISPYWAREUPDATER.
GUARDGUI.
GUARDNT.
HREGMON.
HRRES.
HSOCKPE.
HUPDATE.
IAMAPP.
IAMSERV.
ICLOAD95.
ICLOADNT.
ICMON.
ICSSUPPNT.
ICSUPP95.
ICSUPPNT.
IFACE.
INETUPD.
INOCIT.
INORPC.
INORT.
INOTASK.
INOUPTNG.
IOMON98.
ISAFE.
ISATRAY.
ISRV95.
ISSVC.
KAV.
KAVMM.
KAVPF.
KAVPFW.
KAVSTART.
KAVSVC.
KAVSVCUI.
KMAILMON.
KPFWSVC.
KWATCH.
LOCKDOWN2000.
LOGWATNT.
LUALL.
LUCOMSERVER.
LUUPDATE.
MCAGENT.
MCMNHDLR.
MCREGWIZ.
MCUPDATE.
MCVSSHLD.
MINILOG.
MYAGTSVC.
MYAGTTRY.
NAVAPSVC.
NAVAPW32.
NAVLU32.
NAVW32.
NOD32.
NEOWATCHLOG.
NEOWATCHTRAY.
NISSERV
NISUM.
NMAIN.
NOD32
NORMIST.
NOTSTART.
NPAVTRAY.
NPFMNTOR.
NPFMSG.
NPROTECT.
NSCHED32.
NSMDTR.
NSSSERV.
NSSTRAY.
NTRTSCAN.
NTXCONFIG.
NUPGRADE.
NVC95.
NVCOD.
NVCTE.
NVCUT.
NWSERVICE.
OFCPFWSVC.
OUTPOST.
PAV.
PAVFIRES.
PAVFNSVR.
PAVKRE.
PAVPROT.
PAVPROXY.
PAVPRSRV.
PAVSRV51.
PAVSS.
PCCGUIDE.
PCCIOMON.
PCCNTMON.
PCCPFW.
PCCTLCOM.
PCTAV.
PERSFW.
PERTSK.
PERVAC.
PNMSRV.
POP3TRAP.
POPROXY.
PREVSRV.
PSIMSVC.
QHM32.
QHONLINE.
QHONSVC.
QHPF.
QHWSCSVC.
RAVMON.
RAVTIMER.
REALMON.
REALMON95.
RFWMAIN.
RTVSCAN.
RTVSCN95.
RULAUNCH.
SAVADMINSERVICE.
SAVMAIN.
SAVPROGRESS.
SAVSCAN.
SCAN32.
SCANNINGPROCESS.
SCHED.
SDHELP.
SHSTAT.
SITECLI.
SPBBCSVC.
SPHINX.
SPIDERML.
SPIDERNT.
SPIDERUI.
SPYBOTSD.
SPYXX.
SS3EDIT.
STOPSIGNAV.
SWAGENT.
SWDOCTOR.
SWNETSUP.
SYMLCSVC.
SYMPROXYSVC.
SYMSPORT.
SYMWSC.
SYNMGR.
TAUMON.
TBMON.
TC.
TCA.
TCM.
TDS-3.
TEATIMER.
TFAK.
THAV.
THSM.
TMAS.
TMLISTEN.
TMNTSRV.
TMPFW.
TMPROXY.
TNBUTIL.
TRJSCAN.
UP2DATE.
VBA32ECM.
VBA32IFS.
VBA32LDR.
VBA32PP3.
VBSNTW.
VCHK.
VCRMON.
VETTRAY.
VIRUSKEEPER.
VPTRAY.
VRFWSVC.
VRMONNT.
VRMONSVC.
VRRW32.
VSECOMR.
VSHWIN32.
VSMON.
VSSERV.
VSSTAT.
WATCHDOG.
WEBPROXY.
WEBSCANX.
WEBTRAP.
WGFE95.
WINAW32.
WINROUTE.
WINSS.
WINSSNOTIFY.
WRADMIN.
WRCTRL.
XCOMMSVR.
ZATUTOR.
ZAUINST.
ZLCLIENT.
ZONEALARM.
Executables files are infected by appending the code of the virus to the last section. Win32/Tanatos searches for executables on local drives and on the network, however it does not infect files in the following folders:
SYSTEM
AHEAD
Removing:
If you have infected computer connected to a LAN, you need it to unplug from the LAN, and re-connect again in the moment when all computers are clean.
Download the following files rmtanat.exe and rmtanat.nt.
Update AVG and run test of the Windows System folder to schedule the removal of the infected DLL/OCX library on computer restart.
Restart computer, so the DLL/OCX file will be removed.
Thereafter run the removal tool with parameter C:\ to heal the infected files. You can specify more drives (example: rmprepnd C:\ D:\).
Check Firewall and make update of Windows and antivirus software.
0 comments:
Post a Comment