|
Sunday, 22 May 2005 |
W32.Linkbot.M is a worm that exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability (Microsoft Security Bulletin MS04-011) in order to propagate. It also creates a back door on the system accessible through IRC.
Systems Affected: Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Linkbot.M is executed, it performs the following actions:
Copies itself as one of the following:
%System%lssas.exe
%System%Isass.exe
%System%csrs.exe
%System%logon.exe
%System%winIogon.exe
%System%explorer.exe
%System%winamp.exe
%System%firewall.exe
%System%spoolsvc.exe
%System%spooIsv.exe
%System%algs.exe
%System%iexplore.exe
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Adds one of the following values:
"Local Security Authority Service" = "%systemlssas.exe"
"Local Security Authority Service" = "%system%Isass.exe"
"Client Server Runtime Process" = "%system%csrs.exe"
"Windows Logon Application" = "%system%logon.exe"
"Windows Logon Application" = "%system%winIogon.exe"
"Windows Explorer" = "%system%explorer.exe"
"Winamp Agent" = "%system%winamp.exe"
"Windows Network Firewall" = "%system%firewall.exe"
"Spooler SubSystem App" = "%system%spoolsvc.exe"
"Spooler SubSystem App" = "%system%spooIsv.exe"
"Application Layer Gateway Service" = "%system%algs.exe"
"Microsoft Internet Explorer" = "%system%iexplore.exe"
to the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
so that the risk runs every time Windows starts.
Creates the following batch file:
[RandomFileName].bat
When the batch file is executed, it deletes the original file, and itself.
Attempts to connect to the following domain on TCP port 6667:
home.played.co.uk
Opens an Ident Daemon listening on TCP port 113.
Allows a remote attacker to perform some of the following actions on compromised systems:
Download, and execute files
Manipulate file system
Gather system information
Update or uninstall the bot
Terminate running processes
Steal passwords
Start socket server
Measure connection speed
Conduct port scans
Copy itself to network shares
================================
To delete the value from the registry
Click Start > Run.
Type regedit
Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
In the right pane, delete the following values, if they exist:
"Local Security Authority Service" = "%systemlssas.exe"
"Local Security Authority Service" = "%system%Isass.exe"
"Client Server Runtime Process" = "%system%csrs.exe"
"Windows Logon Application" = "%system%logon.exe"
"Windows Logon Application" = "%system%winIogon.exe"
"Windows Explorer" = "%system%explorer.exe"
"Winamp Agent" = "%system%winamp.exe"
"Windows Network Firewall" = "%system%firewall.exe"
"Spooler SubSystem App" = "%system%spoolsvc.exe"
"Spooler SubSystem App" = "%system%spooIsv.exe"
"Application Layer Gateway Service" = "%system%algs.exe"
"Microsoft Internet Explorer" = "%system%iexplore.exe"
Exit the Registry Editor
===================================================== |
