WORM_DOWNAD.A

I support more than 500 users, and too bad for my entire network it was attacked by WORM_DOWNAD.A , and it messing big time. First day, all account locked, and next it randomly unlock other people account.

Our Sys Admin should done the patching earlier, and this the price well paid for not doing updating patches.

Taken from Trend Micro:

File type: PE

Size of malware: 62,976 Bytes

Ports used: Random TCP ports, TCP port 445 (Microsoft-DS)

Initial samples received on: Nov 21, 2008

Compression type: ACProtect

Vulnerability used: (MS08-067) Vulnerability in Server Service Could Allow Remote Code Execution (958644)


Payload 1: Downloads files



Details:

Arrival

This .DLL worm may be downloaded from remote sites by other malware. It may be dropped by other malware. It may also arrive bundled with malware packages as a malware component.

Installation

This worm drops a copy of itself Windows system folder using a random file name with the .DLL extension. This technique prevents dropping of several copies of itself on already affected systems. It also locks its dropped copy to prevent users from reading, writing, and deleting it.

It is capable of exporting functions used by other malware.

It sets the creation time of the file similar to that of the creation time indicated in the legitimate Windows file KERNEL32.DLL, which is also located in the Windows system folder. It does this prevent itself from getting noticed as a newly added file on the affected system. It also creates the mutex Global\{random}.

It then checks if the operating system version of the affected system is any of the following:

  • Windows 2000
  • Windows XP
  • Windows Server 2003
  • Windows Server 2003 R2

If the system has any of the aforementioned operating systems, this worm continues with its routines. If the affected system has a different operating system, this worm checks forSERVICES.EXE in the list of running processes. If it finds the said process, it loads itself into the said process.

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry keys and entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random service name}
Image Path = "%System Root%\system32\svchost.exe -k netsvcs"

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random service name}\Parameters
ServiceDll = "{malware path and file name}"

It also adds an entry in the value data list of the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost

The added value data is the random service name this worm creates.

Propagation Routines

This worm propagates in two ways from which they are achieved by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode. More information on the said vulnerability can be found in the following link:

Once this specially crafted RPC request reaches its target vulnerable system, the shellcode is decrypted, and then retrieves certain APIs capable of downloading a copy of the worm from the affected system, which is already converted into an HTTP server. The affected system then opens a random TCP port, allowing the vulnerable machine to connect to itself using the following URL:

  • http://{IP address of the affected machine}:{random port}/{malware file name composed of random characters}

During this exploit, a high traffic on TCP port 445 is seen since this is the port that this worm uses.

When the copy of the worm is being downloaded from the affected system to the vulnerable system, the worm modifies its packet header to make itself appear as a harmless JPEG file, when in fact, it is actually an executable file. It does this to avoid detection by the network firewall or system security applications. If an unpatched system continues to receive malicious packets, the said system may eventually crash.

The downloaded copy of the worm is saved as X in the Windows system folder.

This worm is also capable of propagating over the Internet by attempting to send the exploit code to a random Internet address. It first broadcasts the opened random port that serves as an HTTP server so that it is accessible over the internet.

It then gets the external IP address of the system to check if it has direct connection to the Internet. This worm does the routine to launch the expoit code over the Internet if the affected system has a direct connection to the Internet by checking the external IP address and the configured IP address in the ethernet or modem driver.

It also attempts to connect any of the following URLs to know the IP address of the affected computer:

  • http://checkip.dyndns.org
  • http://getmyip.co.uk
  • http://www.getmyip.org

After getting the IP address of the system, this worm checks if the said IP address is valid and is not a local IP address. It also checks if the external IP address is the same with the configured IP address on the system.

Note that this worm makes the random port it uses available online by broadcasting the port over the Internet via an Simple Service Discovery Protocol (SSDP) request.

Download Routine

This worm connects to the following Web sites to download possibly malicious files:

  • http://{BLOCKED}converter.biz/4vir/antispyware/loadadv.exe

It also attempts to connect to http://www.{BLOCKED}d.com/download/geoip/database/GeoIP.dat.gz to download a file that indicates the location of the affected system. As of this writing, however, the said URL is inaccessible.

This worm also connects to created URLs where it can download and execute a file that is saved in the Windows system folder. It creates URLs by retrieving dates from the following Web sites:

  • ask.com
  • baidu.com
  • google.com
  • msn.com
  • www.w3.org
  • yahoo.com

Based on the dates, it then computes for strings to generate URLs. After computing, it then appends of any of the following strings to the computed URLs:

  • .biz
  • .info
  • .org
  • .net
  • .com

For example, if the computed sting is abcdef, the worm then appends either .biz, ,info, .org, .net, or .com to the string so the resulting URL may either be abcdef.biz, abcdef.info. abcdef.org, abcdef.net, or abcdef.com.

Note that this worm can only perform its payload if either of the following criteria has been met:

  • System year is after 2008 of any month and any day
  • System year is 2008 and before of any month and the day is not the second day of the month.

For example, this worm does not download a copy of itself if the system date is set to November 2, 2008; December 2, 2008; or March 2, 2007.

Affected Platforms

This worm runs on Windows 2000, XP, and Server 2003.


Solutions

Solution:

TREND MICRO SOLUTION

Users of Trend Micro PC-cillin Internet Security and Network VirusWall can detect this exploit at the network layer with Network Virus Pattern (NVP) 10271, or later.

Download the latest NVW pattern file from the following site:

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Files

  1. Scan your computer with your Trend Micro antivirus product.
  2. Note the path and file name of all files detected as WORM_DOWNAD.A.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online threat scanner.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Fixtool

Use this Trend Micro special fixtool. Download, extract, and run the said fixtool in the same folder where your latest Trend Micro pattern file is located. For more details, refer to the fixtool's incorporated text file.

Applying Patch

This malware exploits a known vulnerability in Windows. Download and install the fix patch supplied by Microsoft. Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.
top