| Fasong | |
|---|---|
| Type | Network worm |
| Creator | |
| Date Discovered | 02-JUN-2003 |
| Place of Origin | China? |
| Source Language | Delphi |
| Platform | Microsoft Windows |
| File Types | .exe |
| Infection Length | 172,335 bytes |
| Reported Costs | |
Fasong, also known as BenfGame is a network worm that steals passwords and sends them to the creator via a Chinese ICQ client, OICQ.
Behavior
 |
|
| Fasong's icons |
Fasong can arrive on a system through a shared folder or a dropper. When executed, Fasong creats shares for local and network drives. It creates the file C:\Filedebug, which lists the files the worm has created. It copies itself to randomly selected folders on an all the mapped and shared drives with file names composed of random letters. Some of the dropped files will be registered as processes. It modifies the following registry keys to ensure it gets run when the user tries to do a number of things:
*HKEY_CLASSES_ROOT\txtfile\shell\open\command (Replaces the reference to notepad.exe with one of the random filenames that the worm created)
*HKEY_CLASSES_ROOT\chm.file\shell\open\command (Replaces the references to hh.exe with one of the random filenames that the worm created)
*HKEY_CLASSES_ROOT\scrfile\shell\open\command (Changes the key to include one of the random filenames that the worm created, so that the key is "<filename> "%1"")
*HKEY_CLASSES_ROOT\regfile\shell\open\command (Replaces the reference to regedit.exe with one of the random filenames that the worm created)
*HKEY_CLASSES_ROOT\inifile\shell\open\command (Replaces the reference to any application with one of the random filenames that the worm created.)
*HKEY_CLASSES_ROOT\exefile\shell\open\command (Changes the key to include one of the random filenames that the worm created, so that the key is "<filename> "%1" %*"
In an attempt to ensure the worm runs at startup, it modifies the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with a random value. It may be different from the file it is trying to reference. It will also modify the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\win70\workfile with a random value.
Fasong then tries to disable processes related to some security software, including kav9x.exe, kavsvc9x.exe, kavsvcui.exe, kav32.exe, smenu.exe, ravmon.exe, passwordguard.exe, vpc32.exe, and watcher.exe.
The worm creates a file named Autorun.inf at the root of every drive except C:\, which contains the text:
[autorun]
OPEN= <random worm file name>Sources
Maryl Magee. Symantec Security Response, W32.HLLW.BenfGame.B. 03-JUN-2003
worm network_worm ms_windows ms_windows_worm 2003 2003_worm made_in_china worm_from_china