hey ppl!

i've stayed up all night to present you as the very first a complete
analysis of this new worm.

as this is a follow up to my previous posting, i won't go into detail.

now i've analyzed also the "backdoor" that is installed by the mainthread
of the worm.
this backdoor gets written to c:\explorer.exe and because of this should be
executed when windows starts. as the worm will start windows after 24 hours
after infection (or 48 hours if it's a chinese system), the backdoor _will_
be executed.

the backdoor first executes the original WindowsDir\EXPLORER.EXE and will
then start to get into an endless loop:
- wait a minute.
- try to set some registry entries:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\SFCDisable=0xFFFFFF9D
this is a undocumented value and _disables_ the windows file protection
(aka System File Checker SFC).
for further reading check out http://www.collakesoftware.com/files/sfcinfo.txt

then it will check out
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/Scripts and
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/MSADC
and will change the permissions for these vr entries to 217.
i don't know what this value is suposed to do, i didn't find anything on
the net.
but i supose it will grant the highest possible access to these directories.

after that it will install 2 additional virtual roots:
/C pointing to c:\ and /D pointing to d:\
both get created with the same permissions as stated above.

that's it. the "backdoor" will cycle.
this means servers that have been rebooted will give full access to both
c:\ and d:\ and to the script directories.
as there was cmd.exe copied to these directories by the worm before, the
system can easily be compromised.

now i'll write some short info on the worm if somebody missed my first mail.

the worm won't infect one server multiple times.
after that it spawns 300 threads (if on a chinese system it will spawn 600).
these threads start to infect hosts on a pseudo-random number basis:
a random ip is created (not allowing 0xff and 0x0 bytes). this ip is masked
randomly by:
0.0.0.0 (possibility 12.5%)
255.0.0.0 (possibility 50.0%)
255.255.0.0 (possibility 37.5%)

the masked parts will be filled up with the host's ip. this means the worm
mainly spreads in the subnet it is at the moment.

the worm will not try to infect 127.x.x.x or 224.x.x.x nor it's own ip
(where it runs atm).

it will connect with a 10 sec timeout, thus disabling these slow-down
SYN+ACK faker.
then it will upload the whole wormcode, recv one byte and start again to
infect.

the mainthread is meanwhile doing other things:
it copies WindowsDir\CMD.EXE to c,d::\inetpub\scripts\root.exe and to
c,d:\progra~1\common~1\system\MSADC\root.exe .
it will also install the backdoor described above at "c,d:\explorer.exe".
after that the mainthread will sleep 24 hours (on chinese systems 48 hours)
and will then reboot the machine.
furthermore every thread checks the time before generating a random ip and
will restart the computer if year >= 2002 or month >= october.

a .zip file containing a IDA Pro project file and a plaintext disassembly
for both worm and backdoor can be found at
http://www.eikon.tum.de/~simons/ida_root/

cheerz
   corecode

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]