Daprosy Worm

Last updated

Daprosy worm was a malicious computer program that spreads via local area network (LAN) connections, spammed e-mails and USB mass storage devices. Infection comes from a single read1st.exe file where several dozen clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.

Although first observed in early May 2009, [1] the worm was first announced to the public as Daprosy trojan [2] worm by Symantec in July 2009 and was later identified as Autorun-AMS, Autorun-AMW and Autorun-APL by Sophos. [3] It acquired additional aliases from antivirus companies and others tag it as an incarnation or variation of the Autorun.H. [4] [5]

The worm belongs to the “slow” mass mailer category where copies of which are attached and sent to addresses intercepted from the keyboard. The e-mail consists of a promotion of and installation instruction for an imaginary antivirus product purported to remove unknown infections from the computer. While infection cannot occur until the attached worm is renamed and opened, it could spread to system folders in a matter of seconds. It is known to shut down or hang Windows Vista and Windows 7 when attempts to write on the system drive are denied by said operating systems. Also, the worm hides folders and makes them "super hidden" so that data contained in them are not easily accessed.

Precision key logging is the main threat associated with Daprosy infection. Logged keystrokes containing sensitive data could be sent to its author using the worm's improvised mailing system. Early strains are known to destabilize, corrupt and even stall the operating system due to programming bugs. Said strains appear to be incomplete and were probably created by students or amateur Visual Basic programmers as evidenced by using VB decompilers. Final or later releases of Daprosy worm are prolific online game password stealers. They also pose great threats to banking and other e-commerce establishments.

Daprosy worm is rampant in public Internet cafés with LAN connections and exposed USB mass storage drives. As of October 2009 special scripts are available to remove it from infected computers. Many Windows system were stalled last November 13, 2009. An initial investigation points to the older versions of Daprosy Worm, viz. Sophos Autorun-AMS and Autorun-AMW, which appear to be "Friday the Thirteenth" malware.

More recent and persistent variants of Daprosy worm are still in circulation. A notable variant, Win32/Kashu.B as identified by Ahnlab, can be removed only by using live CD. Usually, such variants of Daprosy worm are infected by Sality viruses and usually have file size greater than 100 kilobytes. It now appears that Daprosy worm is a natural host to file-infecting viruses since the former is well distributed on all drives. Viral Daprosy exists in many variants which again requires special scripts to remove. Manual removal of worms infected with viruses requires knowledge usually belonging to individuals associated with AV companies.

Daprosy is "active" even in Safe Mode which makes it difficult to manually remove. Its key logging mechanism is so precise that it captures almost everything typed on the keyboard. This ranks Daprosy as one of the most dangerous worms of the last decade.

Related Research Articles

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

<span class="mw-page-title-main">Blaster (computer worm)</span> 2003 Windows computer worm

Blaster was a computer worm that spread on computers running operating systems Windows XP and Windows 2000 during August 2003.

Bagle was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

W32.Navidad is a mass-mailing worm program or virus, discovered in December 2000 that ran on Windows 95, Windows 98, Windows NT, and Windows 2000 systems. It was designed to spread through email clients such as Microsoft Outlook while masquerading as an executable electronic Christmas card. Infected computers can be identified by blue eye icons which appear in the Windows system tray.

Brontok is a computer worm running on Microsoft Windows. It is able to disperse by e-mail. Variants include:

RavMonE, also known as RJump, is a Trojan that opens a backdoor on computers running Microsoft Windows. Once a computer is infected, the virus allows unauthorized users to gain access to the computer's contents. This poses a security risk for the infected machine's user, as the attacker can steal personal information, and use the computer as an access point into an internal network.

Stration is a family of computer worms that can affect computers running Microsoft Windows, disabling security features and propagating itself to other computers via e-mail attachments. This family of worms is unusual in that new variants are being produced at an unprecedented rate, estimated to be up to one every 30 minutes at its peak, and downloaded from remote servers by infected machines to speed propagation. This makes detection and removal a particular challenge for anti-virus software vendors, because new signature files for each variant need to be issued to allow their software to detect them.

<span class="mw-page-title-main">SpySheriff</span> Spyware

SpySheriff is malware that disguises itself as anti-spyware software. It attempts to mislead the user with false security alerts, threatening them into buying the program. Like other rogue antiviruses, after producing a list of false threats, it prompts the user to pay to remove them. The software is particularly difficult to remove, since it nests its components in System Restore folders, and also blocks some system management tools. However, SpySheriff can be removed by an experienced user, antivirus software, or by using a rescue disk.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

Secure USB flash drives protect the data stored on them from access by unauthorized users. USB flash drive products have been on the market since 2000, and their use is increasing exponentially. As both consumers and businesses have increased demand for these drives, manufacturers are producing faster devices with greater data storage capacities.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

<span class="mw-page-title-main">Conficker</span> Computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.

The Fun.Exe virus is of the w32.Assarm family of computer viruses. According to Symantec it registers itself as a Windows system process then periodically sends mail with spreading attachments as a response to any unopened emails in Outlook Express. This virus first appeared in early 2008 and is now recognized by most anti virus programs.

Swen is a mass mailing computer worm written in C++. It sends an email which contains the installer for the virus, disguised as a Microsoft Windows update, although it also works on P2P filesharing networks, IRC and newsgroups' websites. It was first analyzed on September 18, 2003, however, it might have infected computers before then. It disables firewalls and antivirus programs.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

The BuluBebek virus is a computer worm that was first discovered on October 10, 2008. The virus is not exceptionally widespread, but rather has only infected small groups of computers. Related to the Kenshin, Doraemon, and Naturo viruses, the virus has infected computers in various parts of the world. It is written in a high level programming language, known as Visual Basic. The virus is only 53 KB in size and creates two files on the computers it infects, an EXE file and an INF file.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Win32/Patched is a computer Trojan targeting the Microsoft Windows operating system that was first detected in October 2008. Files detected as "Trojan.Win32.Patched" are usually Windows components that are patched by a malicious application. The purpose of patching varies. For example, certain malware patches system components in order to disable security, such as the Windows Safe File Check feature. Other malware can add parts of its code to a system component and then patch certain functions of the original file to point to an appended code.

Agent.BTZ, also named Autorun, is a computer worm that infects USB flash drives with spyware. A variant of the SillyFDC worm, it was used in a massive 2008 cyberattack on the US military, infecting 300,000 computers.

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

References

  1. "Please help virus attack Classified.exe".
  2. "W32.Daprosy". Archived from the original on 2011-06-07. Retrieved 2009-10-07.
  3. "Sophos Security Labs: Real-Time Malware Threat Prevention".
  4. "ThreatExpert Report: W32.Daprosy, Worm.Win32.AutoRun.ausp, Mal/Generic-A, Worm.Win32.AutoRun." www.threatexpert.com. Archived from the original on 2011-07-17.
  5. "Classified.exe MD5:ed51f1ac4e02e10fb922becc0dd402d9 - VirSCAN.org 41% Scanner(s) (15/37) found malware!". Archived from the original on 2011-09-01. Retrieved 2009-10-30.