| Details:
Installation and Autostart Techniques Upon execution, this worm drops a copy of itself as INTERNET.EXE in the Windows folder. It registers itself as a service by creating the following registry key and entries: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Internet
DisplayName = "Windows Internet Control"
ImagePath = "%Windows%\internet.exe" (Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.) Other Registry Modifications This worm disables certain services by modifying the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
SFCDisable = "ffffff9d" (Note: The default value for the said entry is "0".) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
WaitToKillServiceTimeout = "7000" (Note: The default value for the said registry entry is "20000".) This worm also sets Windows to scan for changes to protected files only at every system startup. It does this by creating the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
SFCScan = "0" Note though that the aforementioned registry entry is non-malicious and need not be removed from the system. Propagation via Network Shares and Software Vulnerabilities This worm generates IP addresses and spreads by attempting to drop a copy of itself in the following target addresses' default shares: - ADMIN$
- ADMIN$\system32
- C$\Windows\system32
- C$\WINNT\system32
- D$\Windows\system32
- D$\WINNT\system32
- IPC$
It also takes advantage of the following Windows vulnerabilities to propagate across systems: - Elevation of Privilege in SQL Server Web Tasks, which is a vulnerability that allows a low-level user to run, delete, insert or update Web tasks. In turn, an attacker who is able to authenticate to a SQL server may do the same actions, and run already created Web tasks in the context of the creator of that task. More information on this vulnerability is found in Microsoft Security Bulletin MS02-061.
- Buffer Overrun In RPCSS Service Vulnerability, which is actually 3 security holes found in the Distributed Component Object Model (DCOM) interface within the RPCSS Service. Two of these vulnerabilities compromise system security by allowing the execution of arbitrary code, while the third could result in denial of service. More information on this vulnerability is found in Microsoft Security Bulletin MS03-039.
- The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Security Bulletin MS04-011.
Backdoor Capabilities Using a random TCP port, this worm connects to an Internet Relay Chat (IRC) server and joins a specific channel, where it listens for the following commands from a remote malicious user: - Download and upload files
- Perform denial of service (DoS) attacks
- Enable and Disable DCOM
- List and terminate processes
- Log keystokes
- Scan the affected system for vulnerabilities
It executes these commands locally on an affected system, providing the remote user virtual control over the affected system. This routine compromises system security and opens the affected machine to further attacks. Process Termination This worm terminates the following processes if found running in memory: - BBEAGLE.EXE
- D3DUPDATE.EXE
- I11R54N4.EXE
- IRUN4.EXE
- MSBLAST.EXE
- MSCVB32.EXE
- PENIS32.EXE
- RATE.EXE
- SSATE.EXE
- SYSINFO.EXE
- TASKMON.EXE
- TEEKIDS.EXE
- WINSYS.EXE
Affected Platforms This worm runs on Windows NT, 2000, XP, and Server 2003. | 
No comments:
Post a Comment