Details:
Arrival This .DLL worm may be downloaded from remote sites by other malware. It may be dropped by other malware. It may also arrive bundled with malware packages as a malware component. Installation This worm drops a copy of itself Windows system folder using a random file name with the .DLL extension. This technique prevents dropping of several copies of itself on already affected systems. It also locks its dropped copy to prevent users from reading, writing, and deleting it. It is capable of exporting functions used by other malware. It sets the creation time of the file similar to that of the creation time indicated in the legitimate Windows file KERNEL32.DLL, which is also located in the Windows system folder. It does this prevent itself from getting noticed as a newly added file on the affected system. It also creates the mutex Global\{random}. It then checks if the operating system version of the affected system is any of the following: - Windows 2000
- Windows XP
- Windows Server 2003
- Windows Server 2003 R2
If the system has any of the aforementioned operating systems, this worm continues with its routines. If the affected system has a different operating system, this worm checks forSERVICES.EXE in the list of running processes. If it finds the said process, it loads itself into the said process. Autostart Technique This worm registers itself as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry keys and entries: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\{random service name} Image Path = "%System Root%\system32\svchost.exe -k netsvcs" (Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\{random service name}\Parameters ServiceDll = "{malware path and file name}" It also adds an entry in the value data list of the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\SvcHost
The added value data is the random service name this worm creates. Propagation Routines This worm propagates in two ways from which they are achieved by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode. More information on the said vulnerability can be found in the following link: Once this specially crafted RPC request reaches its target vulnerable system, the shellcode is decrypted, and then retrieves certain APIs capable of downloading a copy of the worm from the affected system, which is already converted into an HTTP server. The affected system then opens a random TCP port, allowing the vulnerable machine to connect to itself using the following URL: - http://{IP address of the affected machine}:{random port}/{malware file name composed of random characters}
During this exploit, a high traffic on TCP port 445 is seen since this is the port that this worm uses. When the copy of the worm is being downloaded from the affected system to the vulnerable system, the worm modifies its packet header to make itself appear as a harmless JPEG file, when in fact, it is actually an executable file. It does this to avoid detection by the network firewall or system security applications. If an unpatched system continues to receive malicious packets, the said system may eventually crash. The downloaded copy of the worm is saved as X in the Windows system folder. This worm is also capable of propagating over the Internet by attempting to send the exploit code to a random Internet address. It first broadcasts the opened random port that serves as an HTTP server so that it is accessible over the internet. It then gets the external IP address of the system to check if it has direct connection to the Internet. This worm does the routine to launch the expoit code over the Internet if the affected system has a direct connection to the Internet by checking the external IP address and the configured IP address in the ethernet or modem driver. It also attempts to connect any of the following URLs to know the IP address of the affected computer: - http://checkip.dyndns.org
- http://getmyip.co.uk
- http://www.getmyip.org
After getting the IP address of the system, this worm checks if the said IP address is valid and is not a local IP address. It also checks if the external IP address is the same with the configured IP address on the system. Note that this worm makes the random port it uses available online by broadcasting the port over the Internet via an Simple Service Discovery Protocol (SSDP) request. Download Routine This worm connects to the following Web sites to download possibly malicious files: - http://{BLOCKED}converter.biz/4vir/antispyware/loadadv.exe
It also attempts to connect to http://www.{BLOCKED}d.com/download/geoip/database/GeoIP.dat.gz to download a file that indicates the location of the affected system. As of this writing, however, the said URL is inaccessible. This worm also connects to created URLs where it can download and execute a file that is saved in the Windows system folder. It creates URLs by retrieving dates from the following Web sites: - ask.com
- baidu.com
- google.com
- msn.com
- www.w3.org
- yahoo.com
Based on the dates, it then computes for strings to generate URLs. After computing, it then appends of any of the following strings to the computed URLs: For example, if the computed sting is abcdef, the worm then appends either .biz, ,info, .org, .net, or .com to the string so the resulting URL may either be abcdef.biz, abcdef.info. abcdef.org, abcdef.net, or abcdef.com. Note that this worm can only perform its payload if either of the following criteria has been met: - System year is after 2008 of any month and any day
- System year is 2008 and before of any month and the day is not the second day of the month.
For example, this worm does not download a copy of itself if the system date is set to November 2, 2008; December 2, 2008; or March 2, 2007. Affected Platforms This worm runs on Windows 2000, XP, and Server 2003. |