|
Monday, 10 January 2005 |
W32.Spybot.HUR is a worm that has distributed denial of service and back door capabilities. The worm spreads to network shares protected by weak passwords and by exploiting system vulnerabilities.
Type: Worm
Infection Length: 83,968 bytes.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Once W32.Spybot.HUR is executed, it performs the following actions:
Copies itself as %System%wuaucrlt.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Adds the value:
"*windows update" = "wuaucrlt.exe"
to the following registry keys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionpoliciesRun
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESystemCurrentControlSetServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionpoliciesRun
so that it is executed every time Windows starts.
Creates the following service:
Service name: *windows update
Image path: %System%wuaucrlt.exe
Opens a back door by connecting to the IRC channel #iso through TCP port 3515, on one or more of the following hosts:
x.x1secure.com
ssl.tichrondius.com
The worm will listen for commands that allow the attacker to perform the following actions:
Download and execute files
List, stop, and start processes and threads
Launch ACK, SYN, UDP, and ICMP denial of service attacks
Perform port redirection
Send files over IRC
Send email using its own SMTP engine
Start a local HTTP, FTP, or TFTP server
Search for files on the compromised computer
Log keystrokes to file
Access network shares and copy itself to those network shares
Scan the network for vulnerable hosts by means of port scanning
Captures screenshots, data from the clipboard, and video from webcams
Visit URLs
Flush the DNS and ARP caches
Open a command shell on the infected computer
Start a SOCKSv4 proxy server
Add and delete network shares and disable DCOM
Reboot the infected computer
Scans for vulnerable computers and tries to exploit one of the following vulnerabilities:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
The Microsoft Windows SSL Library Denial of Service Vulnerability (described in Microsoft Security Bulletin MS04-011).
The worm attempts to spread to randomly generated IP addresses by copying itself to network shares. The worm attempts to use the following list of passwords to access the network shares:
007
123
1234
12345
123456
1234567
12345678
123456789
1234567890
2000
2001
2002
2003
2004
access
accounting
accounts
adm
admin
administrador
administrat
administrateur
administrator
admins
asd
backup
bill
bitch
blank
bob
brian
changeme
chris
cisco
compaq
computer
control
data
database
databasepass
databasepassword
db1
db1234
db2
dba
dbpass
dbpassword
default
dell
demo
domain
domainpass
domainpassword
eric
exchange
fred
fuck
george
god
guest
hell
hello
home
homeuser
ian
ibm
internet
intranet
jen
joe
john
kate
katie
lan
lee
linux
login
loginpass
luke
mail
main
mary
mike
neil
nokia
none
null
oem
oeminstall
oemuser
office
oracle
orainstall
outlook
owner
pass
pass1234
passwd
password
password1
peter
pwd
qaz
qwe
qwerty
root
sam
server
sex
siemens
slut
sql
sqlpassoainstall
staff
student
sue
susan
system
teacher
technical
test
unix
user
web
win2000
win2k
win98
windows
winnt
winpass
winxp
www
wwwadmin
zxc
|
