FormShared.A
Threat LevelDamageDistribution

Effects 

FormShared.A has its own P2P client and spreads a component of itself, which belongs to the Trojan SpyForms.S, through peer-to-peer (P2P) file sharing programs. In order to do so, it follows the routine below:

• It creates a subfolder called SHARED in the Windows directory, where it creates copies of SpyForms.S.
• Some of the names it uses are the following:
  4SCREENS V3.19 BY MP2K.CZIP
  4SCREENS V3.19 BY TSRH.CZIP
  4SCREENS V2.15 BY TCA.CZIP
  4SCREENS V2.15 BY TEX.CZIP
  4SCREENS V2.15 BY TNT.CZIP
  4SCREENS V2.14.CZIP
  4SLIDESHOW V1.0.0.1.CZIP
  4T AV V1.8 CD-VERSION FOR PALMOS.CZIP
  4T AV V1.8 DVD-VERSION FOR PALMOS.CZIP
  4T NOX 1.1 FOR PALMOS.CZIP
  4T NVNTORY 1.8 FOR PALMOS.CZIP
  4T NVNTORY 1.0 FOR PALMOS.CZIP
  4T PET 1.1 FOR PALMOS.CZIP
  4T PUBLICATION 1.2 FOR PALMOS.CZIP
  4T PUBLICATION 1.0 FOR PALMOS.CZIP
  4TEAM FOR MICROSOFT OUTLOOK 2002 V1.90.0044.CZIP
  4TEAM FOR MICROSOFT OUTLOOK 2002 V1.50.0202 RETAIL.CZIP
  4TEAM FOR MS OUTLOOK 2002 V1.90.0044.CZIP
  4TH DIMENSION 6.5.CZIP
  4TH SOFTWARE CHECKLIST SERVER V2.0.1.CZIP
  4TH SOFTWARE CHECKLIST V2.0.3.CZIP
  4U AVI MPEG CONVERTER V1.2.8.CZIP
  4U WMA MP3 CONVERTER V3.1.5 BY DBZ.CZIP
  4U WMA MP3 CONVERTER V3.1.5 BY EMBRACE.CZIP
  4U WMA MP3 CONVERTER V3.1.5 BY FFF.CZIP
  4U WMA MP3 CONVERTER V3.1.5 BY REVENGE.CZIP
  4U WMA MP3 CONVERTER V3.0.8.CZIP
  4U WMA MP3 CONVERTER V2.3.8.CZIP
  4U WMA MP3 CONVERTER V2.2.3 BY FFF.CZIP
  4U WMA MP3 CONVERTER V2.2.3 BY ORION.CZIP
  4U WMA MP3 CONVERTER V2.2.3 BY SND.CZIP
  4U WMA MP3 CONVERTER V2.2.1.CZIP
  4UONLY V1.1.5.CZIP
  4UONLY V1.1.2 BY CORE.CZIP
  3D GRAPHER V1.2 BY SND.CZIP
  3D GRAPHER V1.2 BY VIETCRACK.CZIP
  3D GRAPHER V1.11.CZIP
  3D GRAPHER V1.0.CZIP
  3D GRAPHSAVER V2.00.CZIP
  3D GRAPHSAVER V2.0 BY DBC.CZIP
  3D GRAPHSAVER V2.0 BY PC.CZIP
  3D GRAPHSAVER V2.0 BY RP2K.CZIP
  3D GRAPHSAVER V2.0 BY TNT.CZIP
  3D GROUND ZERO.CZIP
  3D HAND CLOCK V4.0.CZIP
  3D HAND CLOCK V3.5.CZIP
  3D HANDCLOCK SCREENSAVER V3.5.CZIP
  3D HANDCLOCK V3.5.CZIP
  3D HANDCLOCK V2.0 BY PC.CZIP
  3D HANDCLOCK V2.0 BY SQUESCH.CZIP
  3D HARD CORE BY MP2K.CZIP
  3D HARD CORE BY VIETCRACK.CZIP
  3D HEADINGS V3.0.2.140.CZIP
  3D HEADINGS V3.0.CZIP
  3D HEADINGS V2.0.140 BY UCF.CZIP
  3D HOCKEY V1.52 CRACK BY REVENGE.CZIP
  3D HOCKEY V1.52 RETAIL BY REVENGE.CZIP
  3D HOCKEY V1.51.CZIP
  3D HOCKEY V1.2.CZIP
  3D HOT SLOTS.CZIP
  3D IMAGECUBE 2.0.CZIP
  3D IMAGESCENE.CZIP
  3D IMAGESCENE 1.0.CZIP
  3D IMPACT PRO 1.25.CZIP
  3D INTERSTELLAR VOYAGER SCREENSAVER V1.1.CZIP
  3D INVIGORATOR PRO V4.0.CZIP
  3D IT 1.0.CZIP
  3D LAUNCHER.CZIP
  3D LAUNCHER 3.0.CZIP
  3D LAUNCHER 1.0 BY LAXITY.CZIP
  3D LAUNCHER 1.0 BY TNT.CZIP
  3D LINE GRAPHER 1.8.CZIP
  3D LINES V1.2 BY CORE.CZIP
  3D LINES V1.2 BY EMINENCE.CZIP
  3D LINES V1.2 BY EVIDENCE.CZIP
  3D LINES V1.2 BY FHCF.CZIP
  3D LINES V1.2 BY NATABEC.CZIP
  3D LINES V1.2 BY RP2K.CZIP
  3D LINES V1.1 KEYGEN.CZIP
  3D LINES V1.1 SERIAL.CZIP
  3D LINES V1.0 KEYGEN.CZIP
  3D LINES V1.0 SERIAL.CZIP
  3D LIQUID DESKTOP SCREENSAVER V2.0 BY EVIDENCE.CZIP
  3D LIQUID DESKTOP V1.0.CZIP
  3D LIVE BOROBUDUR SCREENSAVER V1.0.CZIP
  3D LIVE BOROBUDUR SCREENSAVER V1.00.CZIP
  3D LIVE POOL V2.34 TRIAL.CZIP
  3D LIVE POOL V2.32 TRIAL.CZIP
  3D MAGIC.CZIP
  3D MAGIC 1.10.CZIP
  3D MAIL EFFECTS (3DME) V6.0.3.CZIP
  3D MAIL EFFECTS (3DME) V6.03 FULL.CZIP
  3D MAIL EFFECTS V6.03 FULL.CZIP
  3D MAIL EFFECTS V5.0.CZIP
  3D MAIL EFFECTS V3.6.1.CZIP
  3D MAKER V1.1.0.CZIP
  3D MANATEES.CZIP
  3D MARS MISSION 4.0 PLUS 3 TRAINER.CZIP
  3D MARS MISSION CRACK.CZIP
  3D MARS MISSION SERIAL.CZIP
  3D MATRIX SCREENSAVER.CZIP
  3D MATRIX SCREENSAVER BY SND.CZIP
  3D MATRIX SCREENSAVER INSIDE THE MATRIX.CZIP
  3D MATRIX SCREENSAVER INSIDE THE MATRIX BY FFF.CZIP
  3D MATRIX SCREENSAVER INSIDE THE MATRIX BY TSRH.CZIP
  3D MATRIX SCREENSAVER THE ENDLESS CORRIDORS.CZIP
  3D MATRIX SCREENSAVER V1.0.CZIP
  3D MINESWEEPER V1.0.CZIP
  3D MINESWEEPER V1.0 BY EXUINOX.CZIP
  3D MORFIT 3D WORLDBUILDER 3.5.CZIP
  3D MORRIS V1.56 RETAIL.CZIP
  3D MORRIS V1.33.CZIP
  3D MORRIS V1.25 KEYGEN.CZIP
  3D MORRIS V1.25 PATCH.CZIP
  3D MORRIS V1.22.CZIP
  3D MORRIS V1.21.CZIP
  3D MORRIS V1.11.CZIP
• Other users of these programs can remotely access this shared directory. This way, they voluntarily download these files to their computers, thinking that they are useful computer programs.
• However, these compressed files actually contain the following files:
  - a file with EXE extension and with the same name as the compressed file, which is a copy of SpyForms.S.
  - a DLL (Dynamic Link Library).
  - a file README.TXT.
• When the file with EXE extension is run, such computers will be affected by SpyForms.S.

Infection strategy 

FormShared.A creates the file CHECKERS2.EXE in the Windows directory. This file is a copy of the worm.

Additionally, FormShared.A creates a subfolder called SHARED in the Windows directory. In this subfolder, it creates a random number of compressed files.
In order to do so, FormShared.A has a list of files, from which it selects one of them randomly and a variable number of the files that follow it in the list.
The following are some examples:
3D MATRIX SCREENSAVER.CZIP
3D MATRIX SCREENSAVER BY SND.CZIP
3D MATRIX SCREENSAVER INSIDE THE MATRIX.CZIP
3D MATRIX SCREENSAVER INSIDE THE MATRIX BY FFF.CZIP
3D MATRIX SCREENSAVER INSIDE THE MATRIX BY TSRH.CZIP
3D MATRIX SCREENSAVER THE ENDLESS CORRIDORS.CZIP
3D MATRIX SCREENSAVER V1.0.CZIP

FormShared.A creates the following entry in the Windows Registry:

• HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  checkers = %windir%\checkers2.exe
  where %windir% is the Windows directory.
  By creating this entry, FormShared.A ensures that it is run whenever Windows is started.

Further Details  

FormShared.A is 325,120 bytes in size and it is compressed with UPX v1.9.