RSS
Home
W32.Sapaq: low or medium threat?
Print
Email
RSS
Subscribe
A new computer virus was detected on June 12. A computer worm is a self-replicating computer program that uses computer networks to infect other computers without any user intervention. Whereas virus’ attach themselves to specific programs, worms do not. If only by consuming an abnormally large amount of bandwidth, a computer worm usually always causes harm to a computer system.
The thing to understand is that worms are created without the intent to alter the infected computer system – they’re only intended to spread. Contrary to this, newer computer worms are developed on a daily basis with a “payload” programmed into their coding. Because of this reason, worms with payloads are designed to do more than just spread. They are designed to install backdoors (allowing for the possibility of Trojan virus’), encrypt files in a cryptoviral extortion attack, or even send sensitive documents on the hard drive via email to the pre-programmed designation email in the worms code. In some cases, the worms payload includes a file that deletes files on the host machine or even create “zombie” computers on the hard drive of the infected computer.
The premise behind these “zombie” computers is to ghost the entire host computer and allow the proginator of the worm to control that zombie computer and all the copied files on it. Because of this type of worm, and the possibility of the “zombie” payload encoded into the worm, the infected machines are commonly used as botnet machines that are used to send spam and junk emails. Generally, worms with such payloads are considered to be of high threat and need to be eliminated immediately. Having understood this, the newest worm is the W32.Sapaq.
Sources at Symantec have written that the worm infects the following systems:
- Windows 95
- Windows 98
- Windows 2000
- Windows ME
- Windows NT
- Windows XP
- Windows Server 2003
- Windows Vista
And as such, finds itself infecting executable files that are shared and spread through networks. Sources have also indicated that the estimated file size is roughly 81,463 bytes to roughly 82,439 bytes. Whereas the Symantec Corporation has listed this worm as a low category worm, it would otherwise be considered a medium threat category worm because of its payload. Once the file is executed, it copies itself into the %System%\drivers\TXP1atform.exe, and then creates the following files:
- %System%\drivers\JM.SYS
- %CommonProgramFiles%\Desktop_1.ini (non malicious)
- %CommonProgramFiles%\Desktop_2.ini (non malicious)
What makes this worm a possible medium threat is that it deletes the host file and then creates another file. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Explorer" = "%System%\drivers\TXP1atform.exe" gets created along with a host of 20+ other HKEY files.
Along with the HKEY files, the worm recreates the JM.SYS file that was embedded with the originally created files (which is a variant of a Trojan virus that steals passwords and then transmits them to the virus proginator) is changed. It changes from JM.SYS to DMusic with an image path of DMusic that automatically starts-up when the host machine is started. As the file is a worm, it continues to infect executable files in the host machine until it’s contained or neutralized. For the network administrators that monitor the continuous outgoing numbers for your network, the key is to watch TCP Port 80, and follow the IP Address: 60.173.10.53.
More specific and detailed information can be found at Symantec.com. By clicking on the “Removal” tab, detailed information can be found on how to properly remove the worm from the infected computer system.
Related Articles:
Add a Comment
