Worm.Win32.Pykspa.a

General explanation

Type: Worm

Degree of destruction: High

Prevalence: average

Names of the malware:

• Worm.Win32.pykspa.a( Padvish)
• Worm.Win32.KillAV(Padvish)
• Worm.Win32.AutoRun(Padvish)
• Trojan:Win32/Killav!atmn (Microsoft)
• Trojan.Win32.KillAV.fdm (Kaspersky)
• W32.Pykspa!gen1 (Symantec)
• Win32/AutoRun.Agent.TV ( Eset)

What is a worm?

Computer worms such as Pykspa are types of malware that are capable of reproduction. For permanence, worms set ways to maintain the infection in each system boot. The distribution of worms is a prominent feature that is generally performed through portable drives and shared directories in the network.

What is Pykspa malware?

This malware creates many files of its family on the system and creates multiple registry keys for its permanence. For each one of the existing folders in these drives, this malware places a file of the same family type with the same name and by random extensions such as bat, ink, if, scr, exe, etc. . All of these files have similar hash and also can disable security services in the victim’s system such as UAC ( UAC is a security feature of Windows)

Technical explanation

Signs of infection

• existence of exe files with random names in the following paths:

%Temp%

%Root%:\Windows

%Root%:\Windows\SysWOW64

• existence of execution files with the same name as the existing folder in the portable drives
• disabling Regedit by creating DisableRegistryTools and by adjusting one in the following registry path:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

• disabling UAC security service by adjusting zero in enableLUA

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

• disabling Microsoft Security Center by adjusting the following registry:

UpdatesDisableNotify=1

AntiVirusDisableNotify=1

FirewallDisableNotify=1

FirewallOverride=1

AntiVirusOverride=1

in the following path:

HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Security Center

• existing files with .rar extension in all victim’s system folders with the same name as the folder (.rar files include the malware file along with the multiple user’s healthy files).
• if the content of searching in the browser includes the following strings, then it will block the access and close the browser:
  • ahnlab
  • arcabit
  • avast
  • avg.
  • avira
  • avp.
  • bit9.
  • castlecops
  • centralcommand
  • cert.
  • clamav
  • tcpview
  • comodo
  • computerassociates
  • cpsecure
  • defender
  • drweb
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • f-prot
  • f-secure
  • fortinet
  • gdata
  • grisoft hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • Kaspersky
  • Malware
  • mcafee
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • rootkit
  • sans.
  • securecomputing
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • vet.
  • Virus
  • Wilderssecurity
• the malware also blocks usage and access of the windows of Windows that their title contains the following strings:
  • Regedit
  • Spyware
  • Rstrui
  • Procmon
  • Regmon
  • Eset
  • Procexp
  • IceSword
  • Sysclean
  • dr. web
  • dr.web
  • esetsmart
  • soft security e
  • internet security
  • Restauration du sy
  • trend micro
  • Sistemos atk
  • Antivir
  • Sysinternals
  • Registry
  • NetTools
  • Zonealarm
  • Firewall
  • avg
  • computer management
  • virus
  • worm
  • system configuration
  • Hiajck
  • Hijack
  • security center
  • system restore
  • antivirus
  • antianti
  • Process Ex
• the existence of data files with constant random names and random extensions such as LLC or yec or txt, etc. in all Windows paths such as:

yyecafwaxawycawwwwwcev.yec

• it will obtain the current system IP by connecting to the following sites:
  • www[.]showmyipaddress[.]com
  • whatismyipaddress[.]com
  • whatismyip[.]ca
  • whatismyip.everdot[.]org

Explaining the action

This malware is released by sending messages through Skype, Twitter, and also the network itself.

Sent messages through Skype and Twitter are as follows:

• would like to speak with you
• .watching you long time
• I would like to speak with you
• I know what you did idiot name
• I lost my job. I am an idiot. I want to die
• little boy:]]]] I know about your little problem

The malware in the run registry will create permanence in the following paths:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
• HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce

The added following amounts in the registry under the disableSecurity function are:

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ,enableLUA , 0

This capability will activate the UAC feature which will be deactivated by adjusting the “0” by this malware.

By adjusting the following registry, it will allow the admin to operate without permission or authentications:

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ,ConsentPromptBehaviorAdmin, 0

Performing the methods of Anti-sandbox and Anti-VM

The malware tries to detect that the current environment is not the analytic environment by performing some methods. If it concludes that the environment is not analytic by performing each of these methods, it will immediately shut down the Windows.

How to deal with it and disinfect the system

Having the UMP capability that is a part of behavioral protection, Padvish Antivirus will prevent the system from being infected by a portable drive. Therefore, to prevent any infection from all types of malware such as this malware from a portable drive it is recommended to protect your system by installing Padvish.