General Explanation
Type: Worm
Degree of destruction: high
Prevalence: average
Names of the malware:
- Worm.JS.Boxter.n
- Worm.Win32.Boxter.lnk
What is the Worm?
Computer worms such as Boxter are types of malware that are capable of reproduction. For permanence, worms set ways to maintain the infection in each system boot. The prominent feature of worms is in their distribution which is generally performed through portable drives and shared directories in the network.
What is Boxter malware?
This malware controls the victim’s system as “command and control”, and in the format of the service and instructions received from the hacker and also attempts to store system data and steal browser information and send the stolen information to the hacker.
In the first execution, it will create some copies from its js file in a different part of the system and creates registry keys to keep maintenance.
This worm is released by creating Ink files and from email and portable drivers. Also, it has the capability of deactivating security services in the victim’s system such as UAC.
This malware includes a keylogger module that stores pressed keys from the keyboard and also tries to connect to addresses with specific ports.
Additionally, malware can install, update, and remove itself.
Technical Explanation
Signs of infection
- A js file with a random name in the %appdata% path.
- Suddenly hiding all files in the USB or other portable drivers at the moment of connection to the system.
- Anonymous Ink files in the USB
- suddenly restart and shut down the system.
Function explanation
This malware will release in the format of an Ink file. By executing this file a Powershell file will be downloaded and executed which is a js file that includes base64 code. This file performs the main operation of the malware.
This malware copies its js file in paths by following random names:
[root]:\Users\Public\”random name”.jpg][root]:\Users\Public\”random name”.js][root]:\Users\user\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\”randomn ame”.js][root]:\Users\user\AppData\Roaming\”random name”.js
Also, the malware creates maintenance in the run registry key in the following path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\” random name”
The following value was added under the disableSecurity function in the registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ,enableLUA , 0
This capability activates two features of UAC and AAM which are deactivated by this malware and sets this value to zero (UAC is a security feature of Windows that helps in preventing unauthorized changes in the OS).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ,ConsentPromptBehaviorAdmin, 0
(This option allows the Admin to operate without validation and consent).
In the following table, you can view the list of C&C instructions of the malware service with its functions:
| Command | Function |
| Disconnect | The main process of the malware will be closed |
| Reboot | Rebooting the system |
| Shut Down | Shutting down the system |
| Execute | Executing the desired instruction of the hacker (for example executing an executive file or special code) |
| install-SDK | If the temp%\wshrat\python.exe% exists, the malware will send the “SDK+Already+Installed” to the hacker server and otherwise, it will download the wshsk.zip file from hxxp://2813.noip.me:2813/moz-SDK and sends the “SDK+Installed” message to the server. |
| get-pass | Will send the desired browser passwords to the server. |
| get-pass-online | Will send all browser passwords to the server installed on the server |
| Update | It downloads the last version of its js files from the server |
| Uninstall | All adjusted files and values in the registry and all startups will be removed and also the executive file of the malware will be closed. |
| up-n-exec | Download and execute desired executive files from the server |
| bring-log | Sending hacker desired log file of information from the victim’s system to server |
| down-n-exec | Download and Execution of desired executive files from the desired URL |
| file manager | Downloading file |
| rev-proxy | Creating rprox.exe file in the system, which is existed in the js file as base64 code and was decrypted by the malware itself. |
| exit-proxy | Closing the rprox.exe process |
| keylogger | Creating the kl-plugin.exe file in the system, which is existed in the js file as base64 code and decrypted by the malware itself. This file has the duty of collecting information from the victim’s system. |
| cmd-shell | Specified instructions are executed in the console and their output will be sent to the server. |
| get-processes | Collecting specifications of running processes. |
| disable-UAC | Adds the value of disableSecurity in the registry and sends the message (UAX+Disabled+Reboot+Required) to the server. |
| check-eligible | If the desired file of the malware exists in the system, it will send an Is+Eligible message |
| force-eligible | If the desired file of the malware exists in the system, it will execute it and the SUCCESS message will be shown. Otherwise, it will send Component+ Missing message |
| elevate | If malware is executed improperly, it will be executed again and the Client+Elevate message will be sent to the server |
| if-elevate | If malware is executed properly, the Client+Elevated message will be sent to the server, otherwise, it will be sent to the Client+Not+Elevated message. |
| kill-process | Closing the specified processes with ID |
| sleep | Executing the sleep instruction in the specified time. |
The malware was released in two methods:
- By portable drivers: it will hide files and folders in the Flash Drive and creates an Ink file for each one of them. Also, the js file copies itself inside the Flash Drive and create an Ink file for each one of them. The target of Ink files are C:\Windows\system32\cmd.exe /c start “random name”.js&start explorer “file or folder name”&exe
- It attaches itself to emails and sends emails.
How to deal with it and disinfect the system
Padvish Antivirus by having UMP capability that is a part of behavioral protection will prevent the system from infecting the portable driver. Hence, to prevent the system from being infected with all types of malware such as this which transfer from portable drivers, it is recommended to prevent this malware by installing Padvish.
If your system is infected with the malware, do as follows:
- Install Padvish on your system
- Connect the infected portable drive to the system
- Scan the portable drive by Padvish to disinfect the driver and your system.