Xnet
OS Protector is an intelligent circuit card which protects PC system configuration and protect data on hard disk in simple and fast way. The installation and operation is simple and can be done in minutes without technical staff involvement. The form factor is a small PCI card.
The concept is simple. Instead of Blacklisting (ie keeping track of all the new viruses and their signatures) OS Protector uses Whitelisting. It keeps track of what is good. So all it needs to do is know what files are clean and so protects that only.
How does it do this? Using parity bits, protection is offered at the hardware level (hence the title: hardware anti-virus). It kicks in before Windows boots, so Windows Viruses will not be able to attack it. This way it is even able to protect the BIOS from being changed.
Labels: bits protection, Hardware, Virus, Worm
Skype worm leaps onto MSNIM in perilBy John Leyden
Published Thursday 24th May 2007 17:51 GMT
Malware miscreants have created the first worm targeting Skype that's also capable over other instant messaging networks, such as MSN and ICQ.
The unnamed worm poses as a chat message linking to a website, as with other example of Skype-spreading malware before it. This malicious website contains a .pif file, that poses as "photos". Users tricked by this simple ruse will find themselves infected by the Stration worm, a mass mailer that also attempts to foil attempts to remove it by blocking access to security-related websites, and other items of malware.
Skype contacts of users infected by the worm get sent a message pointing to the hacker-controlled website. This is all fairly standard.
The twist comes via an attempt by VXers to hedge their bets. One of the files dropped onto infected PCs checks to see if a number of different instant messaging programs are installed.
Although the main vector for infection is Skype, the malware also attempts to spread by punting messages across MSN and ICQ, according to an analysis of the malware by researchers at IM security firm FaceTime Communications.
"The infection checks the registry for evidence of programs like AIM, Trillian, Yahoo Messenger, Miranda and ICQ - however, so far we've only seen it fire a message to an ICQ and an MSN Messenger Client," writes Chris Boyd, director of malware research at FaceTime. "The main target appears to be Skype with regards a delivery mechanism for the messages sent, but the potential for the infection to leap across various networks is obviously there."
FaceTime speculates that the cross-network IM worm is probably the work of the same VXers who created early Skype worm. The latest IM malware menace once again emphasises the importance for users to think before they click. ®
Labels: Worm
Name : Email-Worm:W32/Zhelatin.CQ
Alias: Email-Worm.Win32.Zhelatin.cq
Type: E-Mail Worm, Rootkit
Category: Malware
Platform: Microsoft Windows Win32
Date of Discovery: April 08, 2007
Radar Alert Level 2
Summary The Zhelatin.CQ worm started to spread very late on April 8th, 2007. The worm spreads in e-mails with war-related subjects as an attachment named 'video.exe', 'movie.exe', 'click me.exe' and so on. The worm creates its own peer-to-peer network.
Detailed Description After the worm's file is started by a user, it drops a randomly named file into the same folder where it was started from and runs it. This file installs a rootkit and p2p (peer-to-peer) component into the Windows System folder. The file name is wincom32.sys. The following startup key is created in the Registry for the dropped file:
[HKLM\System\ControlSet001\Services\wincom32]
@ = "%WinSysDir%\wincom32.sys"
The installed component has rootkit features: it hides its Registry keys and active process so that an anti-rootkit engine is needed to reveal them. In addition this component drops a text file named wincom32.ini into the Windows System folder. This file contains a list of clients for the worm's peer-to-peer network. The peer names and access ports are encoded. Here's an example of the file's contents:
[counter]
Counter=0
[peers]
003964D3640550573F800125725481EF=5326859A123900
004982069E5DB75721B54CFF33A26170=5955FC93123900
00A1836AE91D076BC265F9735204714F=451AAE831EBF00
The dropped file also has a blacklist area, but it's empty at the moment. The worm decodes the clients' addresses and access ports and connects itself to the peer-to-peer network. A significant number of UDP connections can be observed when the worm is trying to connect to its p2p network.
At the same time the worm's copy that stays in memory, starts its spreading cycle. It creates a mutex named klllekkdkkd and scans files on local hard disks for victims' e-mail addresses. The worm ignores e-mail addresses if they contain any of the following substrings:
microsoft
.gov
.mil
Then the worm starts to spread in e-mails. It sends messages with the following subjects to all found e-mail addresses:
USA Declares War on Iran
USA Missle Strike: Iran War just have started
Missle Strike: The USA kills more then 20000 Iranian citizens
Missle Strike: The USA kills more then 1000 Iranian citizens
Missle Strike: The USA kills more then 10000 Iranian citizens
Israel Just Have Started World War III
USA Just Have Started World War III
Iran Just Have Started World War III
As you see, the subjects are war-related, so it's a good social engineering trick. The worm always attaches itself to the e-mails that it sends out. The attachment names can be any of the following:
More.exe
Read More.exe
Click Here.exe
Click Me.exe
Read Me.exe
Movie.exe
News.exe
Video.exe
When a recipient of such e-mail opens the attachment, his/her computer becomes infected and the worm continues its spreading cycle.
The worm has a payload. It kills processes if they have the following substrings in their names:
mcafee
taskmgr
hijack
f-pro
lockdown
msconfig
firewall
blackice
avg
vsmon
zonea
spybot
nod32
reged
rav
nav
avp
troja
viru
anti
Labels: Email, Microsoft, Worm
W32/Poebot-KN Type Spyware Worm
How it spreads Network shares
Affected operating systems Windows
Side effects Allows others to access the computer; Steals information; Downloads code from the internet; Installs itself in the Registry; Exploits system or software vulnerabilities
W32/Poebot-KN is a worm for the Windows platform.
W32/Poebot-KN spreads through network shares protected by weak passwords and by exploiting common vulnerabilities including:
LSASS (MS04-011)
SRVSVC (MS06-040)
RPC-DCOM (MS04-012)
WKS (MS03-049)
Dameware (CAN-2003-1030)
PNP (MS05-039)
W32/Poebot-KN runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Poebot-KN copies itself to
\spooIsv.exe.
The following registry entry is created to run spooIsv.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spooler SubSystem App
\spooIsv.exeLabels: Microsoft, Virus, Worm
Size: 11 kbytes (packed)
Discovered: 2007 Feb 14
SYMPTOMS:
- The presence of the following file: %WINDIR%\sqhos32.wmf
- The presence of the following registry key:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run: "lre"="%path_to_trojan%"
- A process named 'module.exe' running
TECHNICAL DESCRIPTION:
The trojan creates a file named sqhos32.wmf in %WINDIR% folder, file that contains some data the trojan uses. Then, it will create the following registry key in order to execute itself at each system startup:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run: "lre"="%path_to_trojan%"
The trojan tries to download a file named 'module.exe' from http://eased{...}.com/et.exe.
When the link becomes available, it will execute the downloaded file, delete the startup registry key and mark itself for deletion at the next system startup.
ANALYZED BY:
Marius Botis, virus researcher
Labels: Microsoft, Trojan, Worm
W32.Zhosu@mmRisk Level 1: Very Low
Discovered: March 20, 2007
Updated: March 21, 2007 4:02:06 AM
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
W32.Zhosu@mm is a worm that spreads by sending itself to email addresses that it finds in the Windows Address Book.
Symantec Security Response is currently investigating this threat and will post more information as it becomes available.
Threat Assessment
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Low
Distribution
Distribution Level: Low
Writeup By: Chen Yu
Labels: Microsoft, Virus, Worm
W32.Fujacks.BH W32/Catcher-A
Discovered: March 14, 2007
Also Known As: W32/Fujacks.z [McAfee], W32/Fujacks.dll [McAfee]
Type: Virus, Worm
Infection Length: 80,384 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Once executed, the worm copies itself as the following files:
%System%\[RANDOM].dll
%System%\[RANDOM].exe
The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{21LYYSYS-9421-2126-L2Y1-L2Y1Y1S3Y1S4}\"StubPath" = "%System%\[RANDOM].exe"
The worm injects itself into the following processes:
Explorer.exe
Services.exe
Winlogon.exe
The worm attempts to download a file from the following URL:
[http://]www.lovesa.info/logo[REMOVED]
Note: At the time of writing, the file was unavailable.
The worm scans the compromised computer and prepends itself to .exe and .scr files. It avoids infecting files located in the following folders:
ComPlus Applications
Common Files
Delphi
Internet Explorer
Messenger
Microsoft Frontpage
Movie Maker
NetMeeting
Online Services
Outlook Express
RECYCLER
System Volume Information
System32
Temp
WINNT
WIndows Media Player
WIndows NT
WinRAR
Windows
Note: Executable files increase in size by 80,384 bytes.
The worm also appends a reference to the domain www.lovesa.info into all files it finds with the following extensions:
.asa
.asp
.aspx
.bat
.cdx
.cer
.css
.htm
.html
.inc
.jsp
.php
Uses the following list of passwords in attempt to copy itself to available network shares:
000000
00000000
1
110
111
111111
11111111
12
120
121212
123
123123
123321
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
2000
2004
2005
2006
2007
2008
2k
321
4321
5021314
520
5201314
520520
54321
654321
88888
88888888
999999
Admin
Administrator
Password
Root
abc
abc123
abcd
abcd123
admin
admin123
administrator
adsl
asdf
asdf123
bye
byebye
cctv
china
computer
data
database
date
enable
foobar
fuck
fuckyou
ghost
god
godblessyou
goodbye
guest
guest123
guest321
hao123
happy
home
ihavenopass
iloveyou
internet
japan
kaonima
live
login
love
loveyou
mylove
mypass
mypass123
no
oracle
pass
passwd
password
pwd
qq
qwer
root
sa
server
sex
super
sybase
temp
temp123
test
test123
user
users
wangba
window
windows
windows2000
windows2003
windowsxp.
xp
xxx
yxcv
zxcv
The worm then attempts to copy itself as one of the following filenames:
FuckJacks.exe
Logo1_.exe
Logo_1.exe
Rundl132.exe
c0nime.exe
iexpl0re.exe
nvscv32.exe
spoclsv.exe
svch0st.exe
Threat AssessmentWild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Moderate
Damage
Damage Level: Medium
Payload: Infects various files.
Distribution
Distribution Level: Medium
Shared Drives: Copies itself to network shares.
Writeup By: Jeong Mun
Labels: Anti-Virus, Microsoft, Worm
Win32/Nirbot Family
Threat AssessmentOverall Risk: Low
Wild: Low
Destructiveness: Medium
Pervasiveness: Medium
Characteristics
Type: Worm
Category: Win32
Also known as
W32/Delbot (Sophos),
W32.Rinbot (Symantec), Backdoor.Win32.VanBot (Kaspersky)
Description Win32/Nirbot is a family of IRC-controlled backdoors that can be used to gain unauthorized access to a victim's machine. They can also exhibit worm-like functionality by exploiting many different software vulnerabilities, including SYM06-010 and MS06-040.
Method of Infection When executed, Win32/Nirbot copies itself to the %System% directory using filenames such as:
arman.exe
atievx.exe
crcss.exe
lemsrv.exe
msync.exe
navscnr.exe
netadp.exe
prevx.exe
rinsv.exe
symmec.exe
It then makes the following registry modification to ensure this copy is executed at each Windows start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
= ""
where differs depending on the variant, for example:
ATI Active Graphics Card Monitor
JW Manager
LEMSRV
Network Bridge
Random Interface Network Manager
Symmetrical Network
Syncronization
Nirbot continuously checks for and sets the above registry entry.
The worm also creates a mutex to avoid running multiple instances of itself.
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Method of Distribution
Via Exploit
Win32/Nirbot spreads by exploiting a number of vulnerabilities in Windows operating systems and third party applications. Nirbot's spreading routine starts with scanning for vulnerable target machines. The worm can generate random values for all or part of each IP address it targets.
Nirbot variants can spread by exploiting the following vulnerabilites: Symantec Client Security and Symantec AntiVirus Elevation of Privilege (SYM06-010)
The worm opens a configurable port on the compromised machine and runs a TFTP server. The worm probes remote machines on port 2967 to determine if they are prone to the SYM06-010 vulnerability. If successful, the worm executes a small amount of code on the target machine that instructs it to connect back to the running TFTP server and retrieve a copy of the worm.
For more information on this vulnerability, please visit the following:
http://www.symantec.com/avcenter/security/Content/2006.05.25.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2630
Microsoft Windows Server service buffer overflow vulnerability (TCP port 139)
The worm creates an HTTP server on the system on a random port. The worm also checks if the IP address of the local machine partially matches a list of IPs contained in its code, for example:
192.168.*.*
10.*.*.*
111.*.*.*
15.*.*.*
16.*.*.*
101.*.*.*
110.*.*.*
112.*.*.*
170.65.*.*
If the IP does not match, the worm instructs the machine vulnerable to this exploit to connect back to the HTTP server running on the system and retrieve a copy of the worm. If the IPs do match, the worm executes a small amount of code on the targeted machine that instructs it to download a copy of the worm from a specific domain. The following is a list of domains and IPs that Nirbot variants have been observed to download from:
66.29.116.82
58.20.109.39
digiflex.info
t3arj3rk.com
sw1tchbck.net
pennysheet.com
jimmybuttons.com
For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34486
http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx
Microsoft Windows RPCSS malformed DCOM message buffer overflow vulnerabilities (TCP port 135)
If the worm finds a machine vulnerable to this exploit, it executes a small amount of code on the targeted machine that instructs it to retrieve a copy of the worm. This is also done through a TFTP server the worm creates on the compromised system on a configurable port.
For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=25975
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
Exploiting weak passwords on MS SQL servers, including the Microsoft SQL Server Desktop Engine blank 'sa' password vulnerability (TCP port 1433)
If Win32/Nirbot finds an exploitable machine, it attempts to log into SQL server accounts 'sa', 'root' and 'admin'. It attempts to authenticate these accounts using several passwords stored in its code. If the worm successfully logs into an account, it sends code to the remote machine instructing it to retrieve a copy of itself.
For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=5705
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321081
Payload: Backdoor Functionality
Nirbot is an IRC-controlled backdoor. Variants of the worm usually attempt to connect to between two to four IRC servers before joining a specific channel. The following is a list of some known IRC servers Nirbot variants have attempted connection to (generally on port 8080, however this differs between variants):
crusade.godhatesfags.com
is.wayne.brady.gonna.have.to.chokeabitch.us
lol.godhatesfags.com
phatcamp.org
x.anti-viral.us
x.pennysheet.com
x.rofflewaffles.us
When the worm connects to one of these servers and joins a channel, it then has control of the compromised machine. Once the victim's computer is under control, the overseer is able to instruct Nirbot to attempt to perform malicious operations such as spreading.
Via its backdoor, the trojan can also be instructed to:
- Retrieve system information such as operating system details
- Download and execute files from the Internet
- Run a SOCKS proxy on the affected host
- Perform a Denial of Service attack
- Execute commands on the affected host
- Update itself
- Remove itself
- Steal CD keys
- Downloads and Executes Arbitrary Files
When first run, some Nirbot variants download and execute a file. The file is downloaded from a specific domain and is usually executed from the C:\ directory. Downloaded files are usually Win32/Amahkey trojan variants - for example, Win32/Amahkey.F.
Analysis by Amir FoudaLabels: Anti-Virus, Microsoft, Virus, Worm
W32.MessmultiRisk Level 1: Very Low
Discovered: March 12, 2007
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
W32.Messmulti is a worm that sends a link to itself through multiple instant messengers or chat programs.
Threat Assessment
Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Low
Payload: Sends a link to itself through multiple instant messengers or chat programs.
Distribution
Distribution Level: Low
Writeup By: Masaki Suenaga
Labels: Microsoft, Worm
Name : Backdoor:W32/PcClient.YW
Alias: DR/PcClient.Gen, Trojan.Dropper.CI
Size: varies
Type: Backdoor
Category: Malware
Platform: W32
Date of Discovery: March 08, 2007
Summary Backdoor:W32/PcClient.YW attempts to hide processes, files, and registry data. It allows the attacker to perform arbitrary actions on the infected machine. Backdoor:W32/PcClient.YW has a rootkit functionality and steals sensitive information from an infected computer.
Disinfection If the rootkit is not detected or it is hidden and FSAV cannot detect its file, it is still possible to detect the malicious activity by scanning the system with a generic rootkit scanner, such as F-Secure BlackLight. More information about F-Secure BlackLight Rootkit Elimination Technology can be found here:
http://www.f-secure.com/blacklight/
Detailed Description
Once the Backdoor:W32/PcClient.YW had been executed, it will drop its components in the following path and filename:
%programfiles%\internet explorer\connection wizard\zhyrikwo.dll - backdoor
%programfiles%\internet explorer\connection wizard\zhyrikwo.drv - keylogger
Note: the file size of zhyrikwo.dll might vary due to garbage code appended at the end of the file.
It will also drop the following driver that will communicate with the .dll files in order to hide the malware processes, registry entries and files:
%programfiles%\internet explorer\connection wizard\zhyrikwo.sys - rootkit
It modifies the following known registry entry as its autostart technique:
Data before:
[HKLM\SYSTEM\CurrentControlSet\Services\sens\Parameters]
ServiceDll = %sysdir%\sens.dll
Data after:
[HKLM\SYSTEM\CurrentControlSet\Services\sens\Parameters]
ServiceDll = %programfiles%\internet explorer\connection wizard\zhyrikwo.dll
The file zhyrikwo.dll will intercept any access to the original file, sens.dll. as a stealth mechanism, and after executing its malicious routines, will transfer the correct parameters to sens.dll.
It also adds the following autostart registry entry for the driver:
[HKLM\System\ControlSet001\Services\zhyrikwo]
ImagePath= %programfiles%\internet explorer\connection wizard\zhyrikwo.sys
Note: This rootkit can be detected by F-Secure's BlackLight.
Part of its payload is that it logs all the keystrokes made by the user and sends this file to a remote hacker.
Another part of the payload is that it has a backdoor component. The backdoor routine is injected into svchost.exe, which is capable of doing the following:
updating itself , remote execution
This malware connects to the following site:
http://dynsev5299.2mydns.com/i[BLOCKED]x.asp
Detection F-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version] Version = 2007-03-07_10.
Labels: Anti-Virus, Backdoor, Microsoft, Worm
SymbOS.Feakks , Writeup By: Masaki Suenaga
Risk Level 1: Very Low
SUMMARY Discovered: March 7, 2007
Updated: March 8, 2007 5:13:54 AM
Type: Worm
Infection Length: 3,276 bytes
Systems Affected: Symbian OS
SymbOS.Feakks is a proof of concept worm that spreads through SMS messages.
Threat Assessment: Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Low
Payload: Spreads through SMS messages.
Distribution
Distribution Level: Low
Technical DetailsInfection Length: 3,276 bytes
Systems Affected: Symbian OS
Once executed, the worm creates the following files:
%System%/apps/feakk.exe
%System%/recogs/feakk.mdl
The worm then searches the contact list for "HACKME" and terminates itself if it is not found.
The worm sends a link that contains a copy of the worm to all the contacts found.
RemovalInstall a file manager program on the device.
Enable the option to view the files in the system folder.
Delete the following files:
%System%/apps/feakk.exe
%System%/recogs/feakk.mdl
Exit the file manager.
Labels: Advisory, Symbian, Worm
Why does anyone still have telnetd running? Should be off by default.
Slashdot discussion
Info Week article
Turkey Worm
===============================
Sun Solaris Telnet WormOriginal release date: February 28, 2007
Last revised: --
Source: US-CERT
Systems AffectedSun Solaris 10 (SunOS 5.10)
Sun "Nevada" (SunOS 5.11)
Both SPARC and Intel (x86) architectures are affected.
OverviewA worm is exploiting a vulnerability (VU#881872) in the Sun Solaris telnet daemon (in.telnetd).
I. DescriptionA worm is exploiting a vulnerability in the telnet daemon (in.telnetd) on unpatched Sun Solaris systems. The vulnerability allows the worm (or any attacker) to log in via telnet (23/tcp) with elevated privileges. Further details about the vulnerability are available in Vulnerability Note VU#881872 (CVE-2007-0882).
Because VU#881872 is trivial to exploit and sufficient technical detail is publicly available, any attacker, not just this worm, could exploit vulnerable systems.
Characteristics of the worm include, but are not limited to:
Exploiting VU#881872 to log in via telnet as the users adm or lp
Changing permissions on /var/adm/wtmpx to -rw-r--rw-
Creating the directory .adm in /var/adm/sa/
Adding .profile files to /var/adm/ and /var/spool/lp/
Installing an authenticated backdoor shell on port 32982/tcp
Modifying crontab entries for the users adm and lp
Scanning for other hosts running telnet (23/tcp)
Sun has published information about the worm in the Security Sun Alert Feed including an inoculation script that disables the telnet daemon and reverses known changes made by the worm.
II. ImpactVU#881872 allows remote attacker to log on to a vulnerable system via telnet and gain elevated privileges. The worm exploits this vulnerability to compromise systems as described above. Since the worm installs a backdoor shell, it is possible for an attacker with knowledge of the authentication tokens to access a compromised system and take any action with the privileges of the backdoor shell process, likely adm or lp.
III. SolutionApply a patch
To address VU#881872, apply the appropriate patches referenced in Sun Alert Notification 102802.
Run inoculation script
To recover compromised systems, Sun has provided an inoculation script that disables the telnet daemon and reverses known changes made by the worm.
Note that the inoculation script only recovers from this particular worm. Running the inoculation script does not guarantee system integrity. A vulnerable system may be compromised in different ways by attackers exploiting VU#881872 or using the backdoor installed by the worm. To fully recover, it may be necessary to rebuild a compromised system using trusted software sources. For more information, see Recovering from an Incident.
IV. WorkaroundsUntil the appropriate patches can be applied, consider the following workarounds.
Disable telnet
Telnet can be disabled by issuing the following command as root:
# /usr/sbin/svcadm disable telnet
Restrict telnet access
Restrict access to telnet (23/tcp) from untrusted networks such as the Internet.
Use SSH instead of telnet
SSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet.
V. ReferencesUS-CERT Vulnerability Note VU#881872 -
Recovering from an Incident -
Sun Alert Notification 102802 -
Solaris in.telnetd worm seen in the wild + inoculation script -
inoculate.local -
CVE-2007-0882 -
Produced 2007 by US-CERT, a government organizationLabels: Advisory, SUN, UNIX, Vulnerability, Worm
W32.Spybot.ANDMDiscovered: January 3, 2007
Updated: February 13, 2007 1:03:06 PM
Type: Worm
Infection Length: 168,960 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Spybot.ANDM is executed, it performs the following actions:
Copies itself as any of the following files:
%System%\wnuserv.exe
%System%\ctfmom.exe
%System%\napi32.exe
%System%\soundman.exe
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates a temporary batch file named c:\a.bat, which in turn creates a registry file in the temporary folder named 1.reg.
Adds the values:
"Windows System Service" = "wnuserv.exe"
"Windows System Service" = "wnuserv.exe"
"Windows Update Firewall System" = "ctfmom.exe"
"Windows Update Firewall System" = "ctfmom.exe"
"Windows Logon Service" = "napi32.exe"
"Windows Logon Service" = "napi32.exe"
"Microsoft Sounds" = "soundman.exe"
"Microsoft Sounds" = "soundman.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
so that it runs every time Windows starts.
Adds the value:
"Windows System Service" = "wnuserv.exe"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\OLE\Windows
Modifies the value:
"TransportBindName" = ""
in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Modifies the value:
"Start" = "4"
in the registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc
Modifies the values:
"EnableDCOM" = "N"
"EnableRemoteConnect" = "N"
in the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
Modifies the value:
"restrictanonymous" = "1"
in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
to prevent NULL session enumeration of the host.
Modifies the value:
"Enabled" = "0"
in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server
Modifies the values:
"AutoShareWks" = "0"
"AutoShareServer" = "0"
in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
Modifies the values:
"NameServer" = ""
"ForwardBroadcasts" = "0"
"IPEnableRouter" = "0"
"Domain" = ""
"SearchList" = ""
"UseDomainNameDevolution" = "1"
"EnableICMPRedirect" = "0"
"DeadGWDetectDefault" = "1"
"DontAddDefaultGatewayDefault" = "0"
"EnableSecurityFilters" = "1"
"AllowUnqualifiedQuery" = "0"
"PrioritizeRecordData" = "1"
"TCP1320Opts" = "3"
"KeepAliveTime" = "23280"
"BcastQueryTimeout" = "002ee"
"BcastNameQueryCount" = "1"
"CacheTimeout" = "0ea60"
"Size/Small/Medium/Large" = "3"
"LargeBufferSize" = "01000"
"SynAckProtect" = "2"
"PerformRouterDiscovery" = "0"
"EnablePMTUBHDetect" = "0"
"FastSendDatagramThreshold " = "400"
"StandardAddressLength " = "18"
"DefaultReceiveWindow " = "4000"
"DefaultSendWindow" = "4000"
"BufferMultiplier" = "200"
"PriorityBoost" = "2"
"IrpStackSize" = "4"
"IgnorePushBitOnReceives" = "0"
"DisableAddressSharing" = "0"
"AllowUserRawAccess" = "0"
"DisableRawSecurity" = "0"
"DynamicBacklogGrowthDelta" = "32"
"FastCopyReceiveThreshold" = "400"
"LargeBufferListDepth" = "a"
"MaxActiveTransmitFileCount" = "2"
"MaxFastTransmit" = "40"
"OverheadChargeGranularity" = "1"
"SmallBufferListDepth" = "20"
"SmallerBufferSize" = "80"
"TransmitWorker" = "20"
"DNSQueryTimeouts" = "31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00,38,00,00,00,30,00,00,00,00,00"
"DefaultRegistrationTTL" = "14"
"DisableReplaceAddressesInConflicts" = "0"
"DisableReverseAddressRegistrations" = "1"
"UpdateSecurityLevel " = "0"
"DisjointNameSpace" = "1"
"QueryIpMatching" = "0"
"NoNameReleaseOnDemand" = "1"
"EnableDeadGWDetect" = "0"
"EnableFastRouteLookup" = "1"
"MaxFreeTcbs" = "7d0"
"MaxHashTableSize" = "800"
"SackOpts" = "1"
"Tcp1323Opts" = "3
"TcpMaxDupAcks" = "1"
"TcpRecvSegmentSize" = "585"
"TcpSendSegmentSize" = "585"
"TcpWindowSize" = "7d200"
"DefaultTTL" = "30"
"TcpMaxHalfOpen" = "4b"
"TcpMaxHalfOpenRetried" = "50"
"TcpTimedWaitDelay" = "0"
"MaxNormLookupMemory" = "30d40"
"FFPControlFlags" = "1"
"FFPFastForwardingCacheSize" = "30d40"
"MaxForwardBufferMemory" = "19df7"
"MaxFreeTWTcbs" = "7d0"
"GlobalMaxTcpWindowSize" = "7d200"
"EnablePMTUDiscovery" = "1"
"ForwardBufferMemory" = "19df7"
in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Modifies the values:
"MaxConnectionsPer1_0Server" = "50"
"MaxConnectionsPerServer" = "50"
in the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Starts to log keystrokes whenever the user attempts to access sites that contain the following strings:
e-gold
PayPal
StormPay
Vodafone
Poste Italiane
eBay
Yahoo!
Banca Sella
Email
Bank of America
exploit
Benvenuto a gmail
Msn
pagamento paga
Opens a back door and connects to an IRC server at any of the following hosts:
baba.bestunix.org
server.cisco-systems.jp
pepe83.rr.nu
pepe84.rr.nu
pepe85.rr.nu
The attacker may perform the following actions on the compromised computer:
Copy or delete files
Upload and download files
Steal CD keys from various games
Log keystrokes and capture webcam
Show status
Show IP address
Portscan the network for vulnerable computers
Scan vulnerabilities
Start ftp and tftp
Start Internet Explorer
End processes
Stop other worms
Stop security-related services
List processes
Use a network sniffer
Spreads by exploiting the following vulnerabilities:
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow vulnerabilities (as described in Microsoft Security Bulletin MS04-007).
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).
The RealVNC Remote Authentication Bypass Vulnerability (as described in CVE-2006-2369).
Symantec Client Security and Symantec AntiVirus Elevation of Privilege (as described in Symantec Advisory SYM06-010).
The Microsoft SQL Server 2000 or MSDE 2000 audit (as described in Microsoft Security Bulletin MS02-061) using UDP port 1433.
Attempts to spread through mIRC and to network shares protected by weak passwords.
This worm attempts to exploit a previously addressed vulnerability in Symantec Client Security and Symantec Antivirus, SYM06-010; patches for the particular Symantec product vulnerability have been available since Thursday, May 25th, 2006. As a result, customers who have applied the patch in their environment are unaffected by the worm's attempt to leverage the Symantec vulnerability for an attack. Customers running Symantec Client Security or Symantec intrusion prevention (IPS) capable products are protected against all known and unknown exploits of SYM06-010 via IPS signatures released on May 26th, 2006.
Labels: Anti-Virus, Microsoft, Worm