Inane Shenanigans with Worm-Shiv

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

It’s been a long time since I’ve worked on a malware file as singularly obnoxious as Worm-Shiv, a new worm we defined a few weeks ago. There isn’t anything especially technically avant-garde or advanced about the worm, nor was it especially difficult to detect or remove. It just exhibits behavior that, to be blunt, is about as annoying as it possibly can be.

The infection process starts with a small self-extracting RAR archive executable. When run, it drops and executes another .exe file, which in turn drops and executes yet another .exe file. Sounds pretty unobtrusive so far, right?

Well, even though the worm might have snuck by unnoticed, it would be hard to characterize its operational behavior as “staying below the radar.” The worm puts a copy of a file named wsock32.dll into every single folder on the hard drive. Every. Single. One. On my test system there were more than 200 copies left behind.

Then the fun begins.

The worm’s code is designed to prevent certain applications from working properly. For example, the brilliant freeware tool Process Explorer is automatically shut down the moment the mouse crosses the border into the program’s window. In some cases, the worm also modifies some registry settings that turn off certain columns in the Process Explorer window — important ones, like the one that shows the program’s name.

But even worse, the worm has been engineered to mess with the application window of many antivirus products, including ours. Take a look at the next video, where our product has detected the worm during a sweep. Not only does the worm make the Quarantine button disappear, but then the real shenanigans begin: When you move the mouse pointer anywhere within the program’s active window, it immediately snaps the Title Bar over the mouse pointer, which then sticks to the pointer. If you move the mouse too quickly when it’s “stuck” like that, the mouse pointer just slips off the title bar, leaving the window half off the screen.

Fortunately for you (and for our dedicated, patient technical support folks), there’s a keyboard shortcut for the Quarantine feature, so you can just hit the Alt-Q keys instead of trying in vain, over and over, to click the button.

I’ve never been happier to get rid of a piece of malware than I was when I came across Worm-Shiv. Maybe the evil genius drooling idiot who came up with this one will think of something even more annoying in the future, but for now, we can all breathe a little easier knowing this Sisyphean nonsense is contained — at least, for the moment.

2 thoughts on “Inane Shenanigans with Worm-Shiv

  1. I once came across a virus that wouldn’t even let me execute process explorer. Nothing happened when double clicking on the exe. Fortunately there was an easy work around. All I had to do was rename the exe file and then it worked like a charm.

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s