You're in: Panda Security > Home Users > security-info > overview
Active Scan. Scan your PC free
Download Cloud Antivirus Gratis

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

ChymineLNK.A

Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

ChymineLNK.A uses the vulnerability called MS10-046 (CVE-2010-2568) in order to be installed in the computer. It is a Windows vulnerability that affects shortcuts and which allows remote code execution.

ChymineLNK.A carries out the following actions:

  • The file received by users and which starts the infection is a shortcut that points to:
    205.209.119\DlaT\GdWbpvo.dll
    It is a DLL hosted in a website.
  • The vulnerability used allows this file to be automatically downloaded and run without clicking on the shortcut, as this vulnerability allows remote code execution.
  • This DLL downloads and runs the file called BIN.EXE, which starts the installation of the rootkit. This rootkit allows the Trojan to be hidden, making its detection more difficult.
  • Additionally, it is programmed to install a keylogger, designed to log the keystrokes typed by the user. This way, it could obtain confidential information nabout users, like passwords.
  • On the other hand, it opens a communication port through which the creator of #nombrevirus# could access the users' computer in order to collect the gathered information or to run more malware.

 

Note: Microsoft has already released the security patch that solves this vulnerability. If you have a Windows 2008/7/Vista/2003/XP computer, it is recommended to download and apply the security patch for this vulnerability. Click here to access the web page for downloading the patch.

Infection strategy 

ChymineLNK.A creates a folder with random numbers in the Windows system directory, like for example:

1234.

The most remarkable feature of this is that the name of the folder ends in a point. This way, the directory cannot be accessed by users, as Windows is not able to interpret the execution of folders that end in a point. In order to access the folder, it is assigned a short name, which in this case it would be 1234~1.

Additionally, if users view this folder through the Windows Explorer, they are informed that the folder is empty.

This folder is not empty, but it contains a hidden file, which belongs to the rootkit. The filename is .dll and it has no extension. In order to access this file, it is assigned a short name, which in this case it is dll~1.

 

ChymineLNK.A creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPRIP
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPRIP\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPRIP\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Iprip
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Iprip\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Iprip\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Iprip\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPRIP
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPRIP\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPRIP\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip\Security
    By creating these entries, the rootkit registers itself as a service and can be run whenever the computer is started. Additionally, it is associated with a SVCHOST process so that it cannot be viewed.

Means of transmission 

ChymineLNK.A reaches the computer in a shortcut which points to the remote download of the file that starts the infection. This shortcut uses the vulnerability called MS10-046 (CVE-2010-2568), which affects files with a LNK extension.

However, ChymineLNK.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, removable drives likes pendrives, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

ChymineLNK.A is 142,848 bytes in size.

>