W32.Daprosy

11 May 2012 Virus 3 Comments

W32.Daprosy is a worm that will sneak into computers via malicious email attachments. When the attached file is executed, W32.Daprosy will infect network drives, fixed, and USB removable drives. It will send itself onto victims computers email contacts to further propagate the infection.

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Characteristics
Upon execution, the worm will drop several malicious files and creates a couple of folders under “Application Data”. The worm also searches for folders on all drives on the computer as well as network shares and create a duplicate copy of itself imitating folder name but in executable format. Next, W32.Daprosy will hide all folders, leaving only a copy of the worm as visible fake folders. Opening the fake folder will result to the execution of the worm. Simultaneously, it opens the real folder in a new window to avoid any suspicion.

W32.Daprosy may also end any security-related process leading to disability of installed anti-virus program.

Distribution
The worm will propagate to all network shared drives through the following files.

• %DriveLetter%\Classified.exe
• %DriveLetter%\Read1st!.exe

Then, it uses the infected computer as an SMTP server to mass-send a copy of the worm. It will gather contact information from the compromised PC and set them as new target.

Date Posted: 16 July 2009 @ 12:19

Added Registry Entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"WinSys" = "%Windir%\system.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"LSAShell" = "%Windir%\lsass.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SessionMngr" = "C:\Documents and Settings\All Users\Application Data\PolariSys\dirlock.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe \"C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard\kbdsys.exe\"

Associated Files and Folders:

C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard
C:\Documents and Settings\All Users\Application Data\PolariSys
%System%\hlpsvc1.exe
%System%\hlpsvc2.exe
%SystemDrive%\Read1st!.exe
%SystemDrive%\goats.exe
%Windir%\Classified.exe
%Windir%\system.exe
%Windir%\lsass.exe
%UserProfile%\My Documents\Classified.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard\kbdsys.exe
C:\Documents and Settings\All Users\Application Data\PolariSys\dirlock.exe
%Windir%\shutdown.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Classified.exe

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of W32.Daprosy, open your antivirus application and update the virus definition file.

3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.

4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.

Scan with Norton Power Eraser:

Free tool from Symantec called Norton Power Eraser provides deep scanning technology to detect and remote threats like W32.Daprosy. NPE targets and eliminate threats that regular virus scan fails to identify. Download NPE here.

Important! Because of Norton Power Eraser’s aggressive method, it can select even legitimate files as suspicious. Please use this tool very carefully.