Worm.Win32.Eqtonex.a

General Explanation

Type: Worm

Degree of destruction: high

Prevalence: average

Used vulnerability: CVE-2017-0146/ MS17-010 (EternalBlue)

What is the Worm?

Computer worms such as Eqtonex are types of malware that are capable of reproduction. For permanence, worms set ways to maintain the infection in each system boot. The prominent feature of worms is in their distribution which is generally performed through portable drives and shared directories in the network.

What is Eqtonex malware?

Eqtonex malware is an example of malware that uses EternalBlue and DoublePulsar vulnerabilities to release itself. The ultimate goal of this malware is to extract cryptocurrency. Today, malware that uses this method of infection is increasing. This malware is a miner type and it aims to use the victim’s system processor for extracting bitcoin cryptocurrency.

Technical Explanation

Signs of infection 

  1. There is a process with a random name in the system that uses lots of CPU and makes the system slow.
  2. There is a file in the %WindowsDirectory% path named boy.exe
  3. In the Windows path, there is a folder with 5 characters length random name, that involves some DLLs and a file name svchost.exe which malware is used to infect other systems in the network (this is the EternalBlue file).
  4. If the user executes “Netsh IPsec static show all” in the command line, will view a filter named ipsec_ply among its communication policies.

Explaining the function of the malware main file:

Immediately after the execution, the malware will add a copy of itself in the Windows path and then will create a folder with a random name in the same path, then add another copy of itself and executes them, and will add a file named end.bat in the Windows path and remove itself the will leave the rest of activities to the version of itself that is added in the random folder in Windows path.

In summary, the activity of this batch file is to create a filter named ipsec_ply and close ports 445 and 139 of the infected system which is used for transferring files, and only whomever it desires can connect to the system.  By conducting surveys on the file, these filters will not be applied in XP OS.

After desired filters are applied to the victim’s system, it will remove the end.bat file from the system and attempt to add the DLLs required for the EternalBlue exploit and Doublepulsar backdoor in the random file which has been created in the Windows path. Also, it ensures its permanence in the victim’s system by placing itself in the following registry paths to execute malware files each time executes itself:

  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

Eventually, it will place another file with a random name in the above-mentioned random folder which extracts cryptocurrency from the victim’s processing power and make the victim’s system slow.

S.bat file working procedure:

This file attempts to find active IPs on the network by using EternalBlue (Svchost.exe) and checks whether IPs are vulnerable and place the attained result in a file named result.txt which is also placed in this folder.

How to deal with it and disinfect the system

Padvish antivirus can detect and remove this malware. To prevent the system from probable infections by malware that uses EternalBlue vulnerability, it is recommended to use the provided patch of Microsoft Co. (ms17-010). Padvish IPS can detect these types of vulnerabilities and prevent them from entering the victim’s system.

  1 person found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>