[domy_os]

Arrival and Installation

This worm usually arrives on a system as a dropped file of other malware, or as a downloaded file from the Internet by an unsuspecting user when visiting malicious Web sites.

Upon execution, it opens the root folder, which is usually C:\, and creates a folder named RECYCLED inside it.

It then drops a copy of itself as CTFMON.EXE in the following folders:

* C:\Recycled\Recycled
* %User Startup%

Note that a legitimate file also named CTFMON.EXE exists in the Windows system folder.

It also creates its own AUTORUN.INF file in the root folder. The said file contains the following strings:

Citiraj:

[AutoRun]
shellexecute=Recycled\Recycled\ctfmon.exe
shell\Open(O)\command=Recycled\Recycled\ctfmon.exe
shell=Open(0).

It adds the option Open(o) to the normal Context Menu. Once a user chooses the said option, the worm is automatically executed.

It also drops the following non-malicious files in the created RECYCLED folder:

* desktop.ini
* INFO2

DESKTOP.INI contains the following strings:

Citiraj:

[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}

The said CLSID refers to the Recycle Bin. Once this file is present in a specific folder, the said folder uses the default icon of the Recycle Bin. This technique is a stealth mechanism done to trick users into thinking that the said folder is the legitimate Recycle Bin folder.

When DESKTOP.INI is deleted, the fake folder's icon changes back to the standard folder icon.

The file INFO2 is a harmless data file.

Propagation via Removable and Mapped Drives

This worm drops copies of itself in removable drives and mapped drives as CTFMON.EXE. It also drops the same AUTORUN.INF file described above to automatically execute the mentioned dropped copies when the drives are accessed.

Other Details

On Windows XP systems, this worm creates the following registry keys and entries, which ensure the execution of the Context Menu Open(o):

Citiraj:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\MountPoints2\{random CLSID}
\Shell\Open(O)\command
(Default) = "C:\Recycled\Recycled\ctfmon.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\MountPoints2\{random CLSID}
\Shell\AutoRun\command
(Default) = "RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\Recycled\ctfmon.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\MountPoints2\
##%Server name%#%Share name%\Shell\Open(O)\command
(Default) = "%Drive letter%\Recycled\ctfmon.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\MountPoints2\
##%Server name%#%Share name%\Shell\AutoRun\command
(Default) = "%Drive letter%\Recycled\ctfmon.exe"

(Note: %Server name% is the name of the server where the mapped folder is located. %Share name% is the name of the mapped folder.)

This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003.