Details
Worm.Win32.Rahak.a
This network worms infects computers running Windows. It spreads via network resources with poor password protection. The worm itself is a Windows PE EXE file, 69KB or greater in size, packed using FSG. The unpacked file is 194KB or greater in size. Installation Once launched, the worm copiesall
Details
Worm.Win32.Padobot.gen
Already known variants of Worm.Win32.Padobot and new variants will be detected using this definition.
Generic detection is based on the analysis of code from known variants. Similar functions will be searched for when scanning; this makes it highly likely that new variants of the worm will be detected.
Details
Worm.Win32.Padobot.b
This worm is identical to Worm.Win32.Padobot.a
Details
Worm.Win32.Padobot
Worm.Win32.Padobot.a (also known as Korgo) spreads throughout the Internet using a vulnerability in Microsoft Windows LSASS. A description of the vulnerability can be found in Microsoft Security Bulletin MS04-011
The worm is written in C++ and is approximately 10KB in size, packed using UPX.
Propagation
When launching, the worm copies itself to the Windows system directory under a random name, and registers this file in the system registry auto-run key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WinUpdate = %system%\name of file
It also creates a registry key
HKLM\SOFTWARE\Microsoft\Wireless
Server = 1
It creates the mutexes “10″, “u2″ and “uterm5″ to flag its presence in the system.
The worm chooses the IP-addresses of random machines to infect and attack, similar to other worms which exploit the same LSASS vulnerability.
Other
Once infected, a victim machine will display an error message that the LSASS service has failed. After this error message has been displayed, the computer may reboot.
The worm open TCP ports 113, 3067 and 2041 to receive commands.
It attempts to connect to several IRC channels:
moscow-advokat.ru
graz.at.eu.undernet.org
flanders.be.eu.undernet.org
caen.fr.eu.undernet.org
brussels.be.eu.undernet.org
los-angeles.ca.us.undernet.org
washington.dc.us.undernet.org
london.uk.eu.undernet.org
lia.zanet.net
gaspode.zanet.org.za
irc.kar.net
to receive commands and transmit data.
Details
Worm.Win32.Opasoft.s
This worm uses accessible network resources to spread throughout local networks.
The worm file is 17920 bytes in size and packed using ASPack. The unpacked file is approximately 25KB in size.
Symptoms of infection
If a file called srv32.exe is present in the Windows root directory, the computer is infected.
Propagation
When launching, the worm copies itself to the Windows directory as srv32.exe and registers this file in the system registry.
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Srv32 =%windir%\Srv32.exe
The worm also creates an additional registry key to flag its presence in the system.
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SRV32]
The worm attempts to copy itself to the Windows root directory on other computers in the local network. It then modifies the win.ini file to ensure that it gains control when the system is rebooted.
Payload
The worm attempts to connect to the site of a Ukrainian mobile services provider
http://sim-sim.com
and send an SMS containing the IP address of the victim machine to 8-050-196XXXX.
Details
Worm.Win32.Opasoft.a
The Opasoft (aka Opaserv) network worm virus, also known as “Opaserv” has a backdoor trojan routine. The worm spreads over local and wide-area networks using MS Windows NETBIOS services. The worm itself is a Windows PE EXE file with a length of about 28KB.
The Opasoft worm was first detected at the end of September 2002 - by the beginning of October 2002 it had already caused a global epidemic.
Installation
The worm installs itself to the Windows directory with the name “scrsvr.exe” and registers this file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ScrSvr = %worm name%
Opasoft then deletes its original file (from where it was started).
Spreading
In order to find victim computers Opasoft scans subnets for port 137 (NETBIOS Name Service). IP addresses of the following networks are scanned:
current subnet of the infected computer (aa.bb.cc ??)
the two nearest subnets of the currently infected computer (aa.bb.cc.cc+1 ?? , aa.bb.cc-1 ??)
selects subnets randomly (excluding those where scanning is disabled)
If, while searching (scanning) Opasoft happens upon a responding IP address (of an actual computer), the worm then scans the two nearest subnets of that IP address.
When “reply data” is received Opasoft checks a special field contained in it. If it shows that the given computer has the service “File and Print Sharing” open, Opasoft begins its infection procedure on that computer as a remote host.
During infection, Opasoft sends, via port 139 (NETBIOS Session Service) special SMB - packets that transmit the following commands:
sets a connection with the \\hostname\C resource(where “hostname” = the name of the victim computer which is defined when the victim computer answers Opasoft (by sending its “reply data”) during the scan)
if the resource is password protected the worm runs through all possible “one symbol” passwords - conducting a “brute-force” attack
If connection is successful, Opasoft transmits its EXE file - during transmission the full name of the destination file containing the code (exe file) is revealed:
WINDOWS\scrsvr.exe
Opasoft then reads the Windows\win.ini file on the victim machine and copies (saves) it to the local disk (of the remote computer) under the name:
C:\TMP.INI
to this C:\TMP.INI file the worm copies the auto run command that is placed in the victim computer’s Windows system directory upon being sent back to the victim computer.
To receive the packets from the remote computer two files appear on the victim machine:
\WINDOWS\scrsvr.exe - a copy of the Opasoft worm
\WINDOWS\win.ini - A Windows INI file which contains the auto-run command (to “auto-run” the Opasoft worm)
The second file, win.ini, results in Opasoft gaining control of the victim computer upon system restart.
Password Exploit
To get passwords needed to gain access to victim machines, the worm uses the security breach “share level password exploit”. For a detailed description of this exploit please click the following address: http://www.nsfocus.com/english/homepage/sa_05.htm
The worm programmatically “suggests” a password field with only one character length to the victim host. When there is a one-byte password “suggested”, the host will check only the first byte of the password. In case the first byte is correct, the autification process will be successfully passed. As a result it is enough to try only all one-byte passwords for the attacker to exploit vulnerable Win9x machines. The patch for this vulnerability is available at: http://www.microsoft.com/technet/security/bulletin/MS00-072.asp.
Backdoor
The backdoor routine goes to the www.opasoft.com WEB-site and performs the following actions:
downloads and executes its latest version (if there is one)
downloads and processes script files placed at this site
New worm versions are downloaded to the file “scrupd.exe”. This file is then run, and replaces the existing worm copy.
While processing the backdoor it uses its data files: “ScrSin.dat” and “ScrSout.dat”. These files are encrypted with a strong crypto-algorythm.
Because the server at www.opasoft.com is down, it is not possible to get more information about this backdoor routine.
Technical Details
To avoid infecting the same machine twice the worm creates a “Windows mutex” under the name “ScrSvr31415″.
Win9x machines are infectable while the infectinon of WinNT machines is highly unlikely and almost impossible.
One of worm versions writes log data about scanned and infected machines to the “ScrLog” and “ScrLog2″ files.
Removal
The worm caused a global epidemic and hit many Win9x systems because of following reasons:
it spreads using the standard NETBIOS protocol
the “\\hostname\C” resource name is the default name on opening a share on C: drive
there is no request for a password on share opening
many users don’t pay enough attention to password length and security
To get rid of the worm and to avoid reinfection it is necessary to:
disable file sharing, or apply safe enough password to opened shares
delete infected EXE file
remove worm’s “run” commands from WIN.INI file and system registry (see above)
Worm.Win32.Opasoft.a (a.k.a. Brasil)
Opasoft.a, also known as “Brazil”.is a new variant of the “Opasoft” worm and was found “in-the-wild” on Oct. 19-20, 2002.
The differences are:
The original “Opasoft.a” worm is not compressed. The “Brasil” variant is encrypted by the “PCPEC” PE EXE file encryption utility and then compressed by the “UPX” PE EXE files compression tool.
The text strings are patched. For example, the following strings are replaced:
“ScrSvr”, “ScrSin” -> “Brasil”
“ScrSout” -> “Brasil!”
“scrupd” -> “puta!!”
“www.opasoft.com” -> www.n3t.com.br
As a result the “Brasil” modification behaves a bit differently, however the spreading and backdoor routines are exactly the same as with the original worm variant.
Installation
The Opasoft.a worm installs itself to the Windows directory under the name “brasil.exe” or “brasil.pif” (depending on the “Brasil” patch variant) and registers this file in the auto-run registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Brasil = %worm name%
Spreading
While infecting remote computers the Opasoft.a worm uploads itself under the “brasil.exe” or “brasil.pif” name, and writes a corresponding string to a remote WIN.INI file.
Backdoor
The backdoor routine goes to the www.n3t.com.br WEB-site and performs the following actions:
it downloads and executes its new version (if there is one) from this site
it downloads and processes script files placed at this site
The new worm version is downloaded to the file puta!!.exe. This file is then run and replaces the current or existing copy of the worm.
While the backdoor is processing it employs two data diles: Brasil.dat and Brasil!.dat, which are encryped with a strong “crypto” algorithm.
Because the server at www.n3t.com.br is down (as is the original “Opasoft” server), it is not possible to obtain further information concerning the worm’s backdoor procedures.
Variants
There are several “patched” variants known. The differences are only in URL and file names, for example:
worm file name:
“Opasoft.a” (”Brazil” variant) : \WINDOWS\brazil.pif
“Opasoft.a” (”Marco” variant) : \WINDOWS\marco!.scr
Details
Worm.Win32.Nople
It is not a dangerous Win32 worm virus. The virus itself is Windows PE EXE file about 51Kb of length, written in Microsoft Visual C++. The virus copies itself to C:\WinNT directory with the “noplease_flash_movie.exe” name, then spreads with the same name over local network and copies itself to shared network drives. The worm is able to spread over WinNT machines only. It also starts its copies on remote machines as services, in case there is permission for that.
The worm manifests itself with a video-effect and displays the text:
Details
Worm.Win32.Naliv
Naliv is a silly network worm spreading over local and global networks. The worm itself is a Win32 application (PE EXE file) written in Borland C++. It has a file size of about 12K.
When the worm is run it copies itself to the Windows system directory (the worm copy name can be various) and registers this file in the system registry auto-run key:
HKLM\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NAV Live Update = %worm file name%
To spread, ‘naliv’, in an endless loop, generates random network IP addresses and connects to remote computers at these addresses (if there is a machine at a generated address), and if the disk is shared for full access, the worm copies itself to the victim computer’s Windows startup directory (if it exists):
\C$\Documents and Settings\All Users\Start Menu\Programs\Startup
\C\WINDOWS\Start Menu\Programs\Startup
\C$\WINNT\All Users\Start Menu\Programs\Startup
The naliv worm then copies itself using its current name (worm copies can have various names).
To run the worm EXE file needs the borlndmm.dll library which is a component of Borland Delphi and Borland C++ compilers. Thus only a computer with Borland compilers installed can be affected.
Details
Worm.Win32.Lovesan.a
Lovesan is an Internet Worm which exploits the DCOM RPC vulnerability in Microsoft Windows described in MS Security Bulletin MS03-026. Lovesan is written in C using the LCC compiler. The worm is a Windows PE EXE file about 6KB (compressed via UPX - 11KB when decompressed). Lovesan downloads andall
Details
Worm.Win32.Lovesan.a
Lovesan is an Internet Worm which exploits the DCOM RPC vulnerability in Microsoft Windows described in MS Security Bulletin MS03-026.
Lovesan is written in C using the LCC compiler. The worm is a Windows PE EXE file about 6KB (compressed via UPX - 11KB when decompressed).
Lovesan downloads and attempts to run a file named msblast.exe.
The text is as follows:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible? Stop making money and fix your software!!
Symptoms of Infection:
MSBLAST.Exe in the Windows system32 folder.
Error message: RPC service failure. This causes the system to reboot.
How the Worm Spreads
Lovesan registers itself in the autorun key when the system reboots and launches itself every time the computer reboots in the future:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
windows auto update=”msblast.exe”
The worm then scans IP addresses, attempting to connect to 20 random IP addresses and infect any vulnerable machines. Lovesan sleeps for 1.8 seconds and scans the next 20 IP addresses.
Lovesan scans IP addresses following one of the patterns below:
In 3 out of 5 cases Lovesan selects random base IP addresses (A.B.C.D) where D is equal to 0, while A, B and C are random numbers between 0 and 255.
In the remaining 2 out of 5 cases Lovesan scans the subnet and gets the local IP address of the infected machine, extracts values A and B from it and sets D to 0. Then the worm extracts the C value.
If C is less than or equal to 20, then Lovesan does not modify C. Thus, if the local IP address is 207.46.14.1 the worm will scan IP addresses starting from 207.46.14.0
If C is greater than 20, than Lovesan selects a random value between C and C-19. Thus, if the IP address of the infected machine is 207.46.134.191 the worm will scan IP addresses 207.46.{115-134}.0
The worm sends a buffer-overrun request to vulnerable machines via TCP port 135. The newly infected machine then initiates the command shell on TCP port 4444.
Lovesan runs the thread that opens the connection on port 4444 and waits for FTP ‘get’ request from the victim machine. The worm then forces the victim machine to sends the ‘FTP get’ request. Thus the victim machine downloads the worm from the infected machine and runs it. The victim machine is now also infected.
Other Information
Once a computer is infected the system sends an error message about RPC service failure and may reboot the machine.
As of August 16, 2003 Lovesan will launch DDoS attacks on the Windowsupdate.com server.
Details
Worm.Win32.Lioten
It is not a dangerous Win32 worm virus. The virus itself is Windows PE EXE file about 17Kb of length, written in Microsoft Visual C++. The virus is compressed by UPX, decompressed size is about 41K.
The virus enumerates network resources and copies itself to there with the “iraq_oil.exe” name. While connecing to network resource the virus tries 16 silly passwords.
The virus does not manifest itself in any
Details
Worm.Win32.Lemoor.a
This worm spreads via the Internet, propagating via a vulnerability in the FTP server of Worm.Win32.Sasser.
Only computers which have already been infected by Sasser are vulnerable to Lemoor.
Lemoor is written in Assembler, and is packed using FSG. The packed file is 1985 bytes in size, and the unpacked file is approximately 20992 bytes in size.
Installation
When lanuching, the worm registers itself in the sytem registry, to ensure that it is run each time the system is launched:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[Ephemeral 2.4] by TreeHugger, =
The worm sends a broadcast quest and waits for responses from machines infected by Sasser.
When it receives an answer from a victim machine, it utilizes a vulnerability in the FTP server installed by Sasser to launch its command shell on a randomly chosen port. It then sends its body to the victim machine and launches it.
Other
The worm is only programmed to propagate: it does not have any other payload.
Details
Worm.Win32.Leave
This is an Internet worm that spreads through vulnerable machines. The worm works under Win32 systems only. The worm functionality is based on a special script language that allows a remote host to manage infected machines. The worm also is able (due to these special script programs) to download and activate more components (plugins). As a result, the worm is able to “upgrade” itself from Internet Web sites.
When a main worm component is run, it copies itself to the Windows directory with the REGSV.EXE name and registers that file in the auto-run registry keys. These keys depend on the Windows version (Win9x or WinNT) and appear as follows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
regsv = %windir%\regsv.exe
HKCU\Software\Mirabilis\ICQ\Agent\Apps
icqrun = %windir%\regsv.exe
The worm then stays as a hidden (service) process in Windows memory and is active until the next Windows shutdown.
Spreading
The main worm components contain a text string that is a SubSeven backdoor master password. So, the worm may attack remote machines already infected by SubSeven backdoor, and install itself to there.
To obtain victim-machine addresses, the worm uses a sniffing (scanning) routine that follows scripts (see below) and scans the Internet for IP addresses of remote machines.
Script Language
The worm script language is quite powerful. It allows the worm to do the following:
download from Web sites and spawn other EXE files (worm plugins)
scan IP addresses by requested mask
connect to IRC servers and execute IRC commands
create, move, delete, execute files on an infected machine
etc.
The scripts are downloaded by the worm from different Web sites, for example:
http://leavemealoneeeeeeeee.50megs.com
http://k000001.50megs.com
http://slinky.50megs.com
http://h0h0h0.home.dk3.com
http://h0h0h0.spites.com
http://love50gb.50megs.com
http://tonyjameshanks-sux.50megs.com
http://bababuhtml.50megs.com
http://zxcvbnm.com
and from others.
The script commands in there are encrypted by a 64-bit block cipher. When the worm obtains a script from there first, it decrypts it and then follows the script instructions.
The worm also contains in its code a default script (that is also encrypted). That script is dropped to the Windows directory with the ACI3.DLL name.
When scripts are accepted, the worm also stores them in encrypted form in Registry keys:
HKLM\SOFTWARE\Classes\Scandisk\i386\i\
HKLM\SOFTWARE\Classes\Scandisk\i386\s\
DoS Attack
The worm performs a DoS attack (Denial of Service) to the following sites:
www.hotmail.com
www.internet.com
www.netscape.com
www.lycos.com
www.aol.com
www.msn.com
www.goto.com
www.excite.com
www.yahoo.com
www.altavista.com
Details
Worm.Win32.Ladex.a
Ladex is a network worm, it is efficient only under Windows NT/2000/XP and it is distributed on local area networks. It is a Windows (PE EXE) file about about 275K in size and is written in Microsoft Visual C++.
Installation
Upon being launched the worm creates three copies of itself in the system directories:
%SystemRoot%\Help\DOSAPP.HLP
%SystemRoot%\Inf\CDROM.SYS
%SystemRoot%\Fonts\DOSOEM.FON
it also creates new hidden files that are components of the worm:
%SystemRoot%\SMSS.EXE
%SystemRoot%\CSRSS.EXE
%SystemRoot%\System32\LADY.EXE
Then it registers the files SMSS.EXE and CSRSS.EXE in the system registry so that they execute upon system reboot:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
@=”smss.exe”
@=”csrss.exe”
Next the worm registers itself as a system service with the name “TCP/IP NetBIOS Provider”.
After the first reboot or restart of the service “TCP/IP NetBIOS Provider” the worm also copies itself into the file
%SystemRoot%System32LMHSVC.EXE.
Spreading
The worm “touches” IP-addresses of a local network and tries to connect to network resources under the names
IPC$ and Admin$.
While logged in as “Administrator”. If possible, the worm copies itself onto the remote computer in the system directory:
“\\XXX.XXX.XXX.XXX\Admin$\System32\lmhsvc.exe”
Once this is done it registers itself on the remote computer and creates and starts the service “TCP/IP NetBIOS Provider “.
Invisibility
Using the additional components SMSS.EXE and CSRSS.EXE the worm tries to mask (hide)itself in the system. Both files ensure the functioning of the main module LMHSVC.EXE if for any reason it appears unloaded from memory. Besides these components it looks for REGEDIT - if REGEDIT is open it temporarily removes the keys in the system registry and restores them upon the closure of the REGEDIT application. Thus the worm achieves invisibility in the system registry.
Payload
The worm starts the joke program LADY.EXE which displays a set of creeping flies which can be “killed” with the mouse cursor.
Details
Worm.Win32.Kilonce.a
This is Win32 network worm. It spreads over local network through drives shared for full access.
The worm itself is a Windows PE EXE file written in Delphi. Depending on its version the worm is about 40Kb (compressed version, UPX compressor used) or 82K (original not compressed EXE file).
The worm was found in China in November 2002.
The worm has many bugs in its code, and often is not able to spread over the network and activate its payload routines.
Installing
While installing the worm copies itself with “killonce.exe” name to Windows system directory and to “Recycled” directory on the same drive where Windows is installed. The worm then registers its copies in system registry auto-run key. For example, in case Windows is installed in C:\WINDOWS directory, the affected registry keys will look as follows:
HKCR\exefile\shell\open\command
“C:\\WINDOWS\\KILLONCE.EXE \”%1\” %*”
HKCR\txtfile\shell\open\command
“C:\\Recycled\\KILLONCE.EXE C:\\WINDOWS\\NotePad.exe %1″
HKLM\Software\CLASSES\exefile\shell\open\command
“C:\\WINDOWS\\KILLONCE.EXE \”%1\” %*”
HKLM\Software\CLASSES\txtfile\shell\open\command
“C:\\Recycled\\KILLONCE.EXE C:\\WINDOWS\\NotePad.exe %1″
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
KillOnce = “C:\\WINDOWS\\KILLONCE.EXE”
The worm then creates its “EMail” copy in Windows temporary directory. This copy has the “KillOnce.exe.Eml” name and has “true e-mail” format. The From,To,Subject fields and Body are empty. The attached file name is “Explorer.exe” (that is worm copy in MIME envelope), and there is IFrame tag to activate that EXE attach when infected EMail is being opened.
Spreading
The worm looks for network drives that are opened for full access and copies itself to there with the name:
\Windows\rundll32.exe
in case “Windows\” directory presents in there. The original “rundll32.exe” file is renamed by worm to “Run32.exe” name.