ChymineLNK.A uses the vulnerability called MS10-046 (CVE-2010-2568) in order to be installed in the computer. It is a Windows vulnerability that affects shortcuts and which allows remote code execution.
ChymineLNK.A carries out the following actions:
- The file received by users and which starts the infection is a shortcut that points to:
It is a DLL hosted in a website.
- The vulnerability used allows this file to be automatically downloaded and run without clicking on the shortcut, as this vulnerability allows remote code execution.
- This DLL downloads and runs the file called BIN.EXE, which starts the installation of the rootkit. This rootkit allows the Trojan to be hidden, making its detection more difficult.
- Additionally, it is programmed to install a keylogger, designed to log the keystrokes typed by the user. This way, it could obtain confidential information nabout users, like passwords.
- On the other hand, it opens a communication port through which the creator of #nombrevirus# could access the users' computer in order to collect the gathered information or to run more malware.
Note: Microsoft has already released the security patch that solves this vulnerability. If you have a Windows 2008/7/Vista/2003/XP computer, it is recommended to download and apply the security patch for this vulnerability. Click here to access the web page for downloading the patch.
ChymineLNK.A creates a folder with random numbers in the Windows system directory, like for example:
The most remarkable feature of this is that the name of the folder ends in a point. This way, the directory cannot be accessed by users, as Windows is not able to interpret the execution of folders that end in a point. In order to access the folder, it is assigned a short name, which in this case it would be 1234~1.
Additionally, if users view this folder through the Windows Explorer, they are informed that the folder is empty.
This folder is not empty, but it contains a hidden file, which belongs to the rootkit. The filename is .dll and it has no extension. In order to access this file, it is assigned a short name, which in this case it is dll~1.
ChymineLNK.A creates the following entries in the Windows Registry:
By creating these entries, the rootkit registers itself as a service and can be run whenever the computer is started. Additionally, it is associated with a SVCHOST process so that it cannot be viewed.
Means of transmission
ChymineLNK.A reaches the computer in a shortcut which points to the remote download of the file that starts the infection. This shortcut uses the vulnerability called MS10-046 (CVE-2010-2568), which affects files with a LNK extension.
However, ChymineLNK.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, removable drives likes pendrives, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
ChymineLNK.A is 142,848 bytes in size.>