Daprosy Worm
Encyclopedia
Daprosy worm is a malicious computer program
that spreads via local area network
(LAN) connections, spammed e-mail
s and USB
mass storage devices
. Infection comes from a single read1st.exe file
where several dozen clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.
Although first observed in early May 2009, the worm
was first announced to the public as Daprosy trojan
worm by Symantec
on July 2009 and was later identified as Autorun-AMS, Autorun-AMW and Autorun-APL by Sophos. It acquired additional aliases from antivirus companies and others tag it as an incarnation or variation of the Autorun.H.
The worm belongs to the “slow” mass mailer category where copies of which are attached and sent to addresses intercepted from the keyboard. The e-mail consists of a promotion of and installation instruction for an imaginary antivirus product
purported to remove unknown infections from the computer. While infection cannot occur until the attached worm is renamed and opened, it could spread to system folders in a matter of seconds. It is known to shut down or hang Windows Vista and Windows 7 when attempts to write on the system drive are denied by said operating system
s. Also, the worm hides folders and makes them "super hidden" so that data contained in them are not easily accessed.
Precision key logging
is the main threat associated with Daprosy infection. Logged keystrokes containing sensitive data could be sent to its author using the worm’s improvised mailing system. Early strains are known to destabilize, corrupt and even stall the operating system
due to programming bugs
. Said strains appear to be incomplete and were probably created by students or amateur Visual Basic
programmers as evidenced by using VB decompilers. Final or later releases of Daprosy worm are prolific online game password stealers. They also pose great threats to banking and other e-commerce establishments.
Daprosy worm is rampant in public Internet café
s with LAN connections and exposed USB mass storage
drives. As of October 2009 special scripts are available to remove it from infected computers. Many Windows system were stalled last November 13, 2009. An initial investigation points to the older versions of Daprosy Worm, viz. Sophos Autorun-AMS and Autorun-AMW, which appear to be "Friday the Thirteenth" malware
s.
More recent and persistent variants of Daprosy worm are still in circulation. A notable variant, Win32/Kashu.B as identified by Ahnlab, can be removed only by using live CD. Usually, such variants of Daprosy worm are infected by Sality viruses. It now appears that Daprosy worm is a natural host to file-infecting viruses since the former is well distributed on all drives. Viral Daprosy exists in many variants which again requires special scripts to remove. Manual removal of worms infected with viruses requires knowledge usually belonging to individuals associated with AV companies.
Daprosy is "active" even in Safe Mode which makes it difficult to manually remove. Its key logging mechanism is so precise that it captures almost everything typed on the keyboard. This ranks Daprosy as one of the most dangerous worm of the last decade.
Computer program
A computer program is a sequence of instructions written to perform a specified task with a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute...
that spreads via local area network
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
(LAN) connections, spammed e-mail
E-mail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
s and USB
Universal Serial Bus
USB is an industry standard developed in the mid-1990s that defines the cables, connectors and protocols used in a bus for connection, communication and power supply between computers and electronic devices....
mass storage devices
Data storage device
thumb|200px|right|A reel-to-reel tape recorder .The magnetic tape is a data storage medium. The recorder is data storage equipment using a portable medium to store the data....
. Infection comes from a single read1st.exe file
EXE
EXE is the common filename extension denoting an executable file in the DOS, OpenVMS, Microsoft Windows, Symbian, and OS/2 operating systems....
where several dozen clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.
Although first observed in early May 2009, the worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
was first announced to the public as Daprosy trojan
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
worm by Symantec
Symantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
on July 2009 and was later identified as Autorun-AMS, Autorun-AMW and Autorun-APL by Sophos. It acquired additional aliases from antivirus companies and others tag it as an incarnation or variation of the Autorun.H.
The worm belongs to the “slow” mass mailer category where copies of which are attached and sent to addresses intercepted from the keyboard. The e-mail consists of a promotion of and installation instruction for an imaginary antivirus product
Antivirus software
Antivirus or anti-virus software is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and adware...
purported to remove unknown infections from the computer. While infection cannot occur until the attached worm is renamed and opened, it could spread to system folders in a matter of seconds. It is known to shut down or hang Windows Vista and Windows 7 when attempts to write on the system drive are denied by said operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s. Also, the worm hides folders and makes them "super hidden" so that data contained in them are not easily accessed.
Precision key logging
Keystroke logging
Keystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...
is the main threat associated with Daprosy infection. Logged keystrokes containing sensitive data could be sent to its author using the worm’s improvised mailing system. Early strains are known to destabilize, corrupt and even stall the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
due to programming bugs
Software bug
A software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's...
. Said strains appear to be incomplete and were probably created by students or amateur Visual Basic
Visual Basic
Visual Basic is the third-generation event-driven programming language and integrated development environment from Microsoft for its COM programming model...
programmers as evidenced by using VB decompilers. Final or later releases of Daprosy worm are prolific online game password stealers. They also pose great threats to banking and other e-commerce establishments.
Daprosy worm is rampant in public Internet café
Internet cafe
An Internet café or cybercafé is a place which provides internet access to the public, usually for a fee. These businesses usually provide snacks and drinks, hence the café in the name...
s with LAN connections and exposed USB mass storage
Mass storage
In computing, mass storage refers to the storage of large amounts of data in a persisting and machine-readable fashion. Devices and/or systems that have been described as mass storage include tape libraries, RAID systems, hard disk drives, magnetic tape drives, optical disc drives, magneto-optical...
drives. As of October 2009 special scripts are available to remove it from infected computers. Many Windows system were stalled last November 13, 2009. An initial investigation points to the older versions of Daprosy Worm, viz. Sophos Autorun-AMS and Autorun-AMW, which appear to be "Friday the Thirteenth" malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
s.
More recent and persistent variants of Daprosy worm are still in circulation. A notable variant, Win32/Kashu.B as identified by Ahnlab, can be removed only by using live CD. Usually, such variants of Daprosy worm are infected by Sality viruses. It now appears that Daprosy worm is a natural host to file-infecting viruses since the former is well distributed on all drives. Viral Daprosy exists in many variants which again requires special scripts to remove. Manual removal of worms infected with viruses requires knowledge usually belonging to individuals associated with AV companies.
Daprosy is "active" even in Safe Mode which makes it difficult to manually remove. Its key logging mechanism is so precise that it captures almost everything typed on the keyboard. This ranks Daprosy as one of the most dangerous worm of the last decade.