Win32.Worm.Datom.A Analysis

Virus analyzed by:
Bogdan Dragu
BitDefender Virus Researcher

HNS Note: BitDefender released Anti Datom program that finds and removes this worm. Our mirrored copy can be downloaded from here:

Name: Win32.Worm.Datom.A
Aliases: –
Type: Executable Worm
Sizes: 58368 bytes (msvxd.exe); 54784 bytes (msvxd16.dll); 81408 bytes (msvxd32.dll)
Discovered: 10 July 2002
Detected: 10 July 2002, 17:30 (GMT+2)
Spreading: High
Damage: Low
ITW: Yes

– files MSVXD.EXE, MSVXD16.DLL and MSVXD32.DLL in a subfolder of the Windows folder (see technical details below) or of a shared folder;
– the registry entry HKLM\Software\Microsoft\CurrentVersion\Run\MSVXD (viewable by running REGEDIT when Windows is in Safe Mode).

Technical description:

Win32.Worm.Datom.A is a new network worm that uses shared folders in the local network to spread itself. It consists of three components: MSVXD.EXE, MSVXD16.DLL and MSVXD32.DLL, created using Borland C++. All relevant strings of characters are stored in an encrypted format in the virus files, in order to avoid disassembly; the virus also uses a few anti-debugger tricks.

Depending whether it is run with the “1632” command line argument, the first component of the virus (MSVXD.EXE) attempts to copy the virus in one of the following subfolders of the Windows folder:

– Profiles\All Users\Start Menu\Programs\StartUp;
– Documents and Settings\All Users\Start Menu\Programs\StartUp;
РDocuments and Settings\All Users\Menu D̩marrer\Programmes\D̩marrage;
– Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica.

MSVXD.EXE is also responsible for attempting to modify the WIN.INI file in order to run the virus at start-up and for launching the second component, MSVXD16.DLL.

MSVXD16.DLL creates the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSVXD registry entry in order to run MSVXD.EXE (with the argument “1632”) at every Windows start-up, and installs a hook procedure that monitors the user’s attempts to run REGEDIT or MSCONFIG; if any of the two applications is run, the malicious registry entry is “hidden” from the user by a using an unusual trick (this behaviour is also present at the third component.) Besides these actions, MSVXD16.DLL also launches MSVXD32.DLL.

When the third component of the virus (MSVXD32.DLL) is loaded, it creates 4 execution threads:

– the first thread monitors the running of REGEDIT and MSCONFIG (just like MSVXD16.DLL) and also drops copies of the virus in temporary files (named TMP_V_00.TMP, etc);

– the second thread stops the execution of Zone Alarm if it is found running, attempts to connect to the website; it also sends an email message to one or two hardcoded addresses, including an attachment, by connecting to a public email server;

– the third thread attempts to drop copies of the virus components in available shared folders and subfolders of the computers in the network;

– the fourth thread attempts to change the value of the default entry in the HKCR\.html\Shell\Open\Command registry key, modifying the default application that opens .html files.

Manual Removal:

Restart Windows in Safe Mode (if possible) and eliminate the HKLM\Software\Microsoft\CurrentVersion\Run\MSVXD registry entry using REGEDIT; delete all found MSVXD.EXE, MSVXD16.DLL and MSVXD32.DLL files that match the sizes listed above.

Automatic Removal:

Let BitDefender delete infected files.

Scan: BitDefender Online Virus Scan on Help Net Security:

PR: High-spreading Virus Disguised as a Microsoft Update

Virus: Kaspersky Lab – Worm.Win32.Datom info

Don't miss