Doctor Web notifies users of the Win32.HLLW.Shadow.based worm spreading over the Internet. There are several ways for the worm to get into a system. One of them is to exploit vulnerabilities found in all versions of Windows starting with Windows 2000 and up to Windows 7. Win32.HLLW.Shadow.basedalso features a polymorphic packer and therefore is very hard to analyze.
There are several ways in which Win32.HLLW.Shadow.based is spread. First of all it uses removable and network disks taking advantage of the autorun feature of Windows. The malicious file has a random name and is placed in a folder that is created as follows: RECYCLER\S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx As the recycle bin of Windows features the same folder structure, it allows the malware to remain unnoticed.
The worm can also spread over a network using the Windows SMB protocol. Win32.HLLW.Shadow.based uses its dictionary and most popular passwords to get a remote access to the target machine. If it manages to crack the password, it will copy itself into the system directory of the victim computer and create a task to be launched in a certain period of time.
Finally it can exploit vulnerabilities that are closed with a critical update described in the Microsoft security bulletin MS08-067. A target machine receives a special request that causes a buffer overflow. As the result the attacked computer downloads a malicious file over HTTP.
Actions performed by the worm after it has been launched.
When launched Win32.HLLW.Shadow.based checks which process it uses. If the process is rundll32.exe, the worm will inject its code in the svchost.exe and explorer.exe processes. After that it will open a current folder in the Explorer and stop working.
If Win32.HLLW.Shadow.based finds that the process is not rundll32.exe, it will replicate itself using a random name and will register its copy as a Windows service and add it to the autorun list to make sure it will be launched after Windows is restarted. It will also stop the Windows Update service and install its own HTTP server to spread itself over a network.
If the worm detects that it uses the svchost.exe process launched as a DNS client, tt will inject its code in DNS routines to block access to web-sites of most anti-virus vendors. Win32.HLLW.Shadow.based features a driver that allows it to modify the tcpip.sys file in the memory to increase the allowed number of simultaneous network connections.
The mission of Win32.HLLW.Shadow.based
The malicious program is designed to create another botnet. The running worm makes requests to download executable files from special servers and installs and launches these programs on target computers. Cyber-criminals may plan to use the botnet to generate profit or choose to sell it. Alas botnets are in high-demand nowadays.
Curing a system of Win32.HLLW.Shadow.based and avoiding the infection
- Install patches provided with the following security bulletins from Microsoft:
- Disconnect a computer from the local area network and the Internet. If computers are connected to a local network, connect a cured machine to the network only when all its hosts are cured.
- Use a malware-free machine to download the latest version of Dr.Web CureIt! and scan all hard drives to cure the system.
To avoid the infection disable autorun for removable drives, do not disable automatic updating and use strong passwords.
Capabilities of Dr.Web anti-virus for curing a system of Win32.HLLW.Shadow.based
Win32.HLLW.Shadow.based makes Windows set security attributes for its files and registry branches so they can’t be read using standard tools. Curing is possible only using Dr.Web scanner for Windows 4.44 or later. The scanner features the Dr.Web Shield™ anti-rootkit driver that provides the scanner with full access to files and registry branches protected in such a way.