Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Worm.Dvldr analysis report
From: "benjurry" <benjurry () szcert org>
Date: Sat, 8 Mar 2003 23:44:53 +0800

Harbin Institute of Technology & Antiy United Cert Group 
Worm.Dvldr analysis report
  
On the Mar. 8th, 2003, Harbin Institute of Technology & Antiy United Cert Group found the abnormal network 
communication on several monitor nodes of the China Telecom and the China Education and Research Network.
  
Abnormal performances are as follows:
1.       The monitor nodes find that several nodes send the TCP 445 package to a large quantity of target host.
2.       Each abnormal node send the packages to the consecutive IP address.
Through the reverse checking we found the commonness on the target host.
1.       The operating system is Windows        NT/2000.
2.       The operating system opened both the 5800 and 5900 ports of the AT&T remote manager.

After that, we contacted with administrator of the target host in time and obtained the samples.
The first checking results are as follows:
Under the system list, there is a executable program called Dvldr32.exe, which process the abnormal communication by 
sending a large quantity of data packages.
Besides, there are several abnormal files and abnormal regedit key assignments.
The lists of abnormal files are as follows:
  
File name the possible directory size 
dvldr32.exe  %windir%/system32(NT/2K)
%windir%/system(9x)745,984 
explorer.exe  %windir%/fonts 212,992 
omnithread_rt.dll %windir%/fonts 57,344 
VNCHooks.dll %windir%/fonts 32,768 
rundll32.exe %windir%/fonts 29,336 
cygwin1.dll %windir%/system32(NT/2K)
%windir%/system(9x)944,968 
INST.exe C:Documents and Settings\All Users\Start Menu\Programs\Startup
C:\WINDOWS\Start Menu\Programs\Startup\inst.exe
C:\WINNT\All Users\Start Menu\Programs\Startup\inst.exe 684,562 

The regedit table is modified as follows: 
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMan"="C:\\WINDOWS\\Fonts\\rundll32.exe"
"Explorer"="C:\\WINDOWS\\Fonts\\explorer.exe"
[HKEY_CURRENT_USER\Software\ORL]

[HKEY_CURRENT_USER\Software\ORL\WinVNC3]
"SocketConnect"=dword:00000001
"AutoPortSelect"=dword:00000001
"InputsEnabled"=dword:00000001
"LocalInputsDisabled"=dword:00000000
"IdleTimeout"=dword:00000000
"QuerySetting"=dword:00000002
"QueryTimeout"=dword:0000000a
"Password"=hex:[here we do some shields]
"PollUnderCursor"=dword:00000001
"PollForeground"=dword:00000001
"PollFullScreen"=dword:00000001
"OnlyPollConsole"=dword:00000001
"OnlyPollOnEvent"=dword:00000001

[HKEY_CURRENT_USER\Software\ORL\VNCHooks]

[HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs]

[HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\EXPLORER.EXE]
The forwarded analysis is as follows:
   Dvldr32.exe is packed by Aspack. This virus, which is written by MS VC6.0, send out amount of packages with the aim 
to infect the network. This File also  include 3 executable files. Two of them are "Psexesvc" and "Remote process 
lancher". They are command tools which published by Sysinternals Corporation. They don't create to the file system, and 
been called by the Dvldr32.exe only. Another program is a install package   which made by a uncommon install tool. The 
package include 5 files,3 of them (Explorer.exe,VNCdll32.dll and Omnithread_rt.dll) are networking managerial tools 
which belong to the corporation AT&T.
   Rundll32.dll is not the normal one in the Microsoft operating system. It maybe a Linux's program which transplanted 
to Windows. We have been still analysising the basic principle in it.
Spread principle:
   When running , the program will select 2 IP section in random and connect the target host's port on 445 to get 
networking package. Once the target machine's administrator's password is null or in the list which   included  in this 
file , the program will copy itself to its system.
Backdoor:
   The virus uses the regular system managerial tool--VCN(edition is 3.3.3.9) as its backdoor, and installs it to the 
target computer's operating system. Though some technical disposals, the icon will not appear when VNC is running. 
Because the VNC cannot connect the computer when the machine is locked, this function is limited.
User can do:
  The user with NT/2K OS must set a strong password of admin at first, then use AntiyPort
http://www.antiy.net/download/antiyports.exe
 or other process managerial tools to kill  the process named dvldr32.exe.After doing this, user must delete all files 
appeared in the above table, and then  restart your computer.  
  
The special kill tool & the forwarded response message:
Harbin Institute of Technology & Antiy United Cert Group will go on paying our attentions on the developing state of 
affairs. And we will release the in-depth analysis report.
We will also release two copies (both the Chinese and the English ones) of the special kill tool at about 21:40 Beijing 
Time (the Mar. 8th, 2003 )
On the Mar.9th, 2003 of the Beijing Time, the anti-virus database will be updated.  
after that,you can download Antiy Ghostbusters datebase file here
http://www.antiy.net/update/ex.gbl
you can overwrite same file in Antiy Ghostbusters install path(default is :\Program Files\Antiy Labs\Antiy Ghostbusters)
after that you can check this worm by Antiy Ghostbusters.
more information of Antiy ghostbusters
http://www.antiy.net/ghostbusters
password list of this worm
.data:0040A038                 dd offset aAdmin        ; "admin"
.data:0040A03C                 dd offset aAdmin_0      ; "Admin"
.data:0040A040                 dd offset aPassword     ; "password"
.data:0040A044                 dd offset aPassword_0   ; "Password"
.data:0040A048                 dd offset a1            ; "1"
.data:0040A04C                 dd offset a12           ; "12"
.data:0040A050                 dd offset a123          ; "123"
.data:0040A054                 dd offset a1234         ; "1234"
.data:0040A058                 dd offset a12345        ; "12345"
.data:0040A05C                 dd offset a123456       ; "123456"
.data:0040A060                 dd offset a1234567      ; "1234567"
.data:0040A064                 dd offset a12345678     ; "12345678"
.data:0040A068                 dd offset a123456789    ; "123456789"
.data:0040A06C                 dd offset a654321       ; "654321"
.data:0040A070                 dd offset a54321        ; "54321"
.data:0040A074                 dd offset a111          ; "111"
.data:0040A078                 dd offset a000000       ; "000000"
.data:0040A07C                 dd offset a00000000     ; "00000000"
.data:0040A080                 dd offset a11111111     ; "11111111"
.data:0040A084                 dd offset a88888888     ; "88888888"
.data:0040A088                 dd offset aPass         ; "pass"
.data:0040A08C                 dd offset aPasswd       ; "passwd"
.data:0040A090                 dd offset aDatabase     ; "database"
.data:0040A094                 dd offset aAbcd         ; "abcd"
.data:0040A098                 dd offset aAbc123       ; "abc123"
.data:0040A09C                 dd offset aOracle       ; "oracle"
.data:0040A0A0                 dd offset aSybase       ; "sybase"
.data:0040A0A4                 dd offset a123qwe       ; "123qwe"
.data:0040A0A8                 dd offset aServer       ; "server"
.data:0040A0AC                 dd offset aComputer     ; "computer"
.data:0040A0B0                 dd offset aInternet     ; "Internet"
.data:0040A0B4                 dd offset aSuper        ; "super"
.data:0040A0B8                 dd offset a123asd       ; "123asd"
.data:0040A0BC                 dd offset aIhavenopass  ; "ihavenopass"
.data:0040A0C0                 dd offset aGodblessyou  ; "godblessyou"
.data:0040A0C4                 dd offset aEnable       ; "enable"
.data:0040A0C8                 dd offset aXp           ; "xp"
.data:0040A0CC                 dd offset a2002         ; "2002"
.data:0040A0D0                 dd offset a2003         ; "2003"
.data:0040A0D4                 dd offset a2600         ; "2600"
.data:0040A0D8                 dd offset a0            ; "0"
.data:0040A0DC                 dd offset a110          ; "110"
.data:0040A0E0                 dd offset a111111       ; "111111"
.data:0040A0E4                 dd offset a121212       ; "121212"
.data:0040A0E8                 dd offset a123123       ; "123123"
.data:0040A0EC                 dd offset a1234qwer     ; "1234qwer"
.data:0040A0F0                 dd offset a123abc       ; "123abc"
.data:0040A0F4                 dd offset a007          ; "007"
.data:0040A0F8                 dd offset aAlpha        ; "alpha"
.data:0040A0FC                 dd offset aPatrick      ; "patrick"
.data:0040A100                 dd offset aPat          ; "pat"
.data:0040A104                 dd offset aAdministrator ; "administrator"
.data:0040A108                 dd offset aRoot         ; "root"
.data:0040A10C                 dd offset aSex          ; "sex"
.data:0040A110                 dd offset aGod          ; "god"
.data:0040A114                 dd offset aFoobar       ; "foobar"
.data:0040A118                 dd offset aA            ; "a"
.data:0040A11C                 dd offset aAaa          ; "aaa"
.data:0040A120                 dd offset aAbc          ; "abc"
.data:0040A124                 dd offset aTest         ; "test"
.data:0040A128                 dd offset aTest123      ; "test123"
.data:0040A12C                 dd offset aTemp         ; "temp"
.data:0040A130                 dd offset aTemp123      ; "temp123"
.data:0040A134                 dd offset aWin          ; "win"
.data:0040A138                 dd offset aPc           ; "pc"
.data:0040A13C                 dd offset aAsdf         ; "asdf"
.data:0040A140                 dd offset aSecret       ; "secret"
.data:0040A144                 dd offset aQwer         ; "qwer"
.data:0040A148                 dd offset aYxcv         ; "yxcv"
.data:0040A14C                 dd offset aZxcv         ; "zxcv"
.data:0040A150                 dd offset aHome         ; "home"
.data:0040A154                 dd offset aXxx          ; "xxx"
.data:0040A158                 dd offset aOwner        ; "owner"
.data:0040A15C                 dd offset aLogin        ; "login"
.data:0040A160                 dd offset aLogin_0      ; "Login"
.data:0040A164                 dd offset aPwd          ; "pwd"
.data:0040A168                 dd offset aPass         ; "pass"
.data:0040A16C                 dd offset aLove         ; "love"
.data:0040A170                 dd offset aMypc         ; "mypc"
.data:0040A174                 dd offset aMypc123      ; "mypc123"
.data:0040A178                 dd offset aAdmin123     ; "admin123"
.data:0040A17C                 dd offset aPw123        ; "pw123"
.data:0040A180                 dd offset aMypass       ; "mypass"
.data:0040A184                 dd offset aMypass123    ; "mypass123"
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]