|
Saturday, 21 May 2005 |
W32.Spybot.PEN is a network-aware worm that has distributed denial of service and back door capabilities. The worm spreads through network shares protected by weak passwords and by exploiting vulnerabilities. The worm may be dropped by W32.Kelvir.CG.
Type: Worm
Infection Length: 86,528 bytes.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
W32.Spybot.PEN arrives on the compromised computer as C: mpdataImSexy.exe. Once this file is executed, the worm performs the following actions:
Copies itself as %System%msnadm32.exe
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Adds the value:
"Microsoft Networking Agent For SP2" = "msnac32.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESoftwareMicrosoftOLE
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa
so that it is executed every time Windows starts.
Sets the value:
"EnableDCOM" = "N"
in the registry subkey:
HKEY_LOCAL_MACHINESoftwareMicrosoftOLE
to disable DCOM.
Sets the value:
"restrictanonymous" = "1"
in the registry subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
to modify access to network shares.
Opens a back door by connecting to an IRC channel on the universal.dists.com domain on TCP port 8076.
Listens for commands that allow the attacker to perform the following actions:
Download and execute files
List, stop, and start processes and threads
Launch ACK, SYN, UDP, and ICMP denial of service attacks
Perform port redirection
Send files over IRC
Send email using its own SMTP engine
Start a local HTTP, FTP, or TFTP server
Search for files on the compromised computer
Log keystrokes
Access network shares and copy itself to those network shares
Scan the network for vulnerable computers by means of port scanning
Capture screenshots, data from the clipboard, and footage from webcams
Visit URLs
Flush the DNS and ARP caches
Open a command shell on the compromised computer
Start a SOCKS4 proxy server
Add and delete network shares and disable DCOM
Reboot the compromised computer
Intercept packets on the local area network
Retrieve the currently logged on users Windows password from memory
Send net send messages
Delete registry entries for other programs and malware
Scans for computers vulnerable to one or more of the following exploits:
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011), using TCP port 445.
The Microsoft SQL Server Web Task Stored Procedure Privilege Escalation Vulnerability (as described in Microsoft Security Bulletin MS02-061), using UDP port 1433.
Spreads through back doors opened by variants of the following threats:
W32.Beagle
W32.Sasser
W32.Mydoom
Backdoor.NetDevil
Backdoor.Subseven
Backdoor.Kuang
Backdoor.Optix
Spreads to randomly generated IP addresses by copying itself to network shares that are protected with weak passwords.
========================================
To delete the value from the registry
Click Start > Run.
Type regedit
Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
Navigate to the subkeys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESoftwareMicrosoftOLE
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa
In the right pane, delete the value:
"Microsoft Networking Agent For SP2" = "msnac32.exe"
Navigate to the subkey:
HKEY_LOCAL_MACHINESoftwareMicrosoftOLE
In the right pane, reset the value:
"EnableDCOM" = "N"
Navigate to the subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
In the right pane, reset the value:
"restrictanonymous" = "1"
Exit the Registry Editor.
====================================================== |
