File type: PE

Size of malware: 169,425 Bytes

Ports used: Random, TCP port 445 (Microsoft-DS)

Initial samples received on: Dec 30, 2008

Vulnerability used:  (MS08-067) Vulnerability in Server Service Could Allow Remote Code Execution (958644)

Related to: TROJ_DROPAD.KAX, TROJ_DROPAD.AD, TROJ_DOWNAD.E

Payload 1: Downloads files

Payload 2: Connects to a URL

Payload 3: Drops files

Details:

Arrival Details

This worm may be downloaded from remote sites by other malware. It may also arrive bundled with malware packages as a malware component.

It may be dropped by the following malware:

• TROJ_DROPAD.AD
• TROJ_DROPAD.KAX

It may also arrive via removable drives, network shares, or through a vulnerability.

Installation

This worm drops the following files:

• %System%\{Random file name}.dll - copy of itself
• %System%\0{random number}.tmp - detected as TROJ_DOWNAD.E

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It patches the file TCPIP.SYS in memory in order to modify the limit of maximum TCP half-connection attempts in systems running Windows XP Service Pack 2. It does this by loading TCPIP.SYS in a certain memory location. It then drops the file %System%\0{random number}.tmp which is responsible for creating a device object named TcpIp_Perf and linking it to the loaded TCPIP.SYS in memory. It will then send the control code (patch code) to the linked device object.

This worm checks if the command line includes the string RUNDLL32.EXE. If it does, this worm assumes it is running as a scheduled task. It then injects itself to the legitimate processes SVCHOST.EXE and EXPLORER.EXE.

It is capable of exporting functions used by other malware. It sets the creation time of the file similar to that of the creation time indicated in the legitimate Windows file KERNEL32.DLL, which is also located in the Windows system folder. It does this to prevent early detection as a newly added file on the affected system.

Upon execution, it creates a random mutex and then elevate system privileges. It also creates a second mutex based on the computer name of the affected system.

It then checks if the operating system version of the affected system. If the worm is running on a Windows 2000 machine, it injects itself to SERVICES.EXE. If the affected system has any of the following operating systems, this worm injects itself to SVCHOST.EXE:

• Windows Server 2003
• Windows Server 2003 R2
• Windows XP

If the system is running under Windows Vista, it executes the following command to disable autotuning:

netsh interface tcp set global autotuning=disabled

It also injects itself to the process SVCHOST.EXE to hook NetpwPathCanonicalize and avoid reinfection of an affected system.

It may also drop a copy of itself in the following folders:

• %Application Data%
• Default system directory
• %Program Files%\Internet Explorer
• %Program Files%\Movie Maker
• %Temp%

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003. %Program Files% is the default Program Files folder, usually C:\Program Files. %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp or C:\WINNT\Temp.)

This technique prevents it from dropping copies of itself on systems it has already affected. It also locks its dropped copy to prevent users from reading, writing, and deleting it.

Autostart Techniques

This worm registers itself as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry key(s)/entry(ies):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Random service name}
Image Path = "%Windows%\System32\svchost.exe -k netsvcs""

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Random service name}\Parameters
ServiceDll = "{Malware path and file name}"

{Random service name} refers to the following key values:

• Boot
• Center
• Config
• Driver
• Helper
• Image
• Installer
• Manager
• Microsoft
• Monitor
• Network
• Security
• Server
• Shell
• Support
• System
• Task
• Time
• Universal
• Update
• Windows

It then locks the permission settings of the registry.

It creates the following registry entry to enable its automatic execution every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
{Random characters} = rundll32.exe {System folder}\{Malware file name}.dll, {Parameters}"

It also adds an entry in the value data list of the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost

The added value data is the random service name that this worm creates.

Other System Modifications

This worm modifies the following registry entries to disable certain services:

Background Intelligent Transfer Service (BITS):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\BITS
Start = "4"

(Note: The default value data for the said registry entry is 3.)

Windows Error Reporting Service:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ERSvc
Start = "4"

(Note: The default value data for the said registry entry is 2.)

Windows Security Center Service:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = "4"

(Note: The default value data for the said registry entry is 2.)

Windows Automatic Update Service:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Start = "4"

(Note: The default value data for the said registry entry is 2.)

This worm modifies the following registry entries to effectively hide hidden files even after changing the settings in Folder Options:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\Advanced
Hidden = "2"

(Note: The default value data for the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = "0"

(Note: The default value data for the said registry entry is 1.)

This worm modifies the following registry entry to allow simultaneous network connections:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters
TcpNumConnections = "00FFFFFE"

(Note: The default value data for the said registry entry is user-defined.)

It creates the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Applets
dl = "0"
ds = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Applets
dl = "0"
ds = "0"

Propagation via Software Vulnerabilities

This worm propagates in two ways from which they are achieved by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode. More information on the said vulnerability can be found in the following link:

• Server Service Vulnerability

Once this specially crafted RPC request reaches its target vulnerable system, the shellcode is decrypted, and then retrieves certain APIs capable of downloading a copy of the worm from the affected system, which is already converted into an HTTP server. The affected system then opens a random TCP port, allowing the vulnerable machine to connect to itself using the following URL:

• http://{IP address of the affected machine}:{Random port generated by this worm}/{Malware file name composed of random characters}

During this exploit, a high traffic on TCP port 445 is seen since this is the port that this worm uses. When the copy of the worm is being downloaded from the affected system to the vulnerable system, the worm modifies its packet header to make itself appear as a harmless .JPEG, .BMP, .GIF, or .PNG file, when in fact, it is actually an executable file. It does this to avoid detection by the network firewall or system security applications. If an unpatched system continues to receive malicious packets, the said system may eventually crash. The downloaded copy of the worm is saved as X in the Windows system folder.

It is also capable of propagating over the Internet by attempting to send the exploit code to a random Internet address. It first broadcasts the opened random port that serves as an HTTP server so that it is accessible over the internet. It then gets the external IP address of the system to check if it has direct connection to the Internet. This worm does the routine to launch the exploit code over the Internet if the affected system has a direct connection to the Internet by checking the external IP address and the configured IP address in the ethernet or modem driver.

This worm then counts the number of times the copy of itself was downloaded from the random port. It then writes the count to the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Applets
gip = "dword:%count%"

It attempts to connect any of the following URLs to know the IP address of the affected computer:

• http://www.whatismyip.org
• http://checkip.dyndns.org
• http://www.getmyip.org
• http://www.whatsmyipaddress.com

Once the IP address is retrieved, it scans the entire block of IP addresses. For example, if the IP address of the infected system is 10.10.10.1, it scans from 10.0.0.1 up to 10.255.255.255. It then checks if the said IP address is valid and is not a local IP address. It also checks if the external IP address is the same with the configured IP address on the system. Note that this worm makes the random port it uses available online by broadcasting the port over the Internet via a Simple Service Discovery Protocol (SSDP) request.

Propagation via Removable Drives

This worm drops a copy of itself in all available removable and network drives.

It drops a copy of itself in {Removable Drive}\Recycler\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d folder. It also drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed. the said .INF file contains random characters inserted to avoid easy detection.

(Note: {Removable Drive} is the drive letter assigned to a removable drive. This worm creates the folder Recycler if the said folder does not yet exist.)

It also monitors drive access by creating a hidden window. When this event is triggered, it does the abovementioned routine.

Propagation via Network Shares

This worm gets information about the affected system's configuration. It lists all servers of the specified type that are visible in a domain and if found, lists down the available users for both local and server machine.

It first enumerates the available servers using NetServerEnum API. Using this information, it then uses NetUserEnum API to gather the list of user accounts then brute forces its way to the network using a dictionary attack, which makes use of the following passwords:

• 000
• 0000
• 00000
• 0000000
• 00000000
• 0987654321
• 111
• 1111
• 11111
• 111111
• 1111111
• 11111111
• 123
• 123123
• 12321
• 123321
• 1234
• 12345
• 123456
• 1234567
• 12345678
• 123456789
• 1234567890
• 1234abcd
• 1234qwer
• 123abc
• 123asd
• 123qwe
• 1q2w3e
• 222
• 2222
• 22222
• 222222
• 2222222
• 22222222
• 321
• 333
• 3333
• 33333
• 333333
• 3333333
• 33333333
• 4321
• 444
• 4444
• 44444
• 444444
• 4444444
• 44444444
• 54321
• 555
• 5555
• 55555
• 555555
• 5555555
• 55555555
• 654321
• 666
• 6666
• 66666
• 666666
• 6666666
• 66666666
• 7654321
• 777
• 7777
• 77777
• 777777
• 7777777
• 77777777
• 87654321
• 888
• 8888
• 88888
• 888888
• 8888888
• 88888888
• 987654321
• 999
• 9999
• 99999
• 999999
• 9999999
• 99999999
• a1b2c3
• aaa
• aaaa
• aaaaa
• abc123
• academia
• access
• account
• Admin
• admin
• admin1
• admin12
• admin123
• adminadmin
• administrator
• anything
• asddsa
• asdfgh
• asdsa
• asdzxc
• backup
• boss123
• business
• campus
• changeme
• cluster
• codename
• codeword
• coffee
• computer
• controller
• cookie
• customer
• database
• default
• desktop
• domain
• example
• exchange
• explorer
• file
• files
• foo
• foobar
• foofoo
• forever
• freedom
• fuck
• games
• home
• home123
• ihavenopass
• Internet
• internet
• intranet
• job
• killer
• letitbe
• letmein
• Login
• login
• lotus
• love123
• manager
• market
• money
• monitor
• mypass
• mypassword
• mypc123
• nimda
• nobody
• nopass
• nopassword
• nothing
• office
• oracle
• owner
• pass
• pass1
• pass12
• pass123
• passwd
• password
• Password
• password1
• password12
• password123
• private
• public
• pw123
• q1w2e3
• qazwsx
• qazwsxedc
• qqq
• qqqq
• qqqqq
• qwe123
• qweasd
• qweasdzxc
• qweewq
• qwerty
• qwewq
• root
• root123
• rootroot
• sample
• secret
• secure
• security
• server
• shadow
• share
• sql
• student
• super
• superuser
• supervisor
• system
• temp
• temp123
• temporary
• temptemp
• test
• test123
• testtest
• unknown
• web
• windows
• work
• work123
• xxx
• xxxx
• xxxxx
• zxccxz
• zxcvb
• zxcvbn
• zxcxz
• zzz
• zzzz
• zzzzz

Once it gains access on the machine, it will drop a copy of itself in the Admin$\System32 directory using a randomly named file using the credentials of the compromised user. Upon successful network propagation, a scheduled task will be created in the %Windows%\Tasks folder using the NetScheduleJobAdd API to be able to execute its dropped copy. The scheduled time of execution on the created JOB file is retrieved from GetLocalTime API. This scheduled task file is detected by Trend Micro as TROJ_DOWNADJOB.A.

Download Routine

This worm contains an embedded encrypted copy of the GeoIP database that determines the location of the affected system. It sends the necessary payload to the affected system depending on the OS version and language once an affected system has been located.

It has a payload that attempts to download and update copy of itself.

It checks the system time and proceeds with the generation of random domain names if the year is 2009 and above and the month is January and above.

It connects to the following URLs to get the current date:

• http://www.aol.com
• http://www.ask.com
• http://www.baidu.com
• http://www.cnn.com
• http://www.ebay.com
• http://www.google.com
• http://www.msn.com
• http://www.myspace.com
• http://www.w3.org
• http://www.yahoo.com

Note: If the malware cannot get the date from 1 of the above mentioned Web site, it will use the infected computer's date.

Based on the dates, it then computes for strings to generate URLs. After computing, it then appends any of the following strings to the computed URLs:

• .biz
• .cc
• .cn
• .com
• .info
• .net
• .org
• .ws

It generates a set of URLs containing 250 random sites per day based on the UTC time standard. For example, if the computed string is abcdef, the worm then appends either .biz, ,info, .org, .net, or .com to the string so the resulting URL may either be abcdef.biz, abcdef.info, abcdef.org, abcdef.net, or abcdef.com.

A list of the URLs that it generates can be found in this Trend Micro page. Note that the said page is updated frequently.

This worm also checks if any of the Web sites generated is active. It then creates another thread to download and execute files. This routine also converts the hostname to IP address, which it uses as a parameter in the next thread.

This thread has a parameter of the IP Address of the generated website. Then this worm uses the said parameter to concatenate with the following:

http://%IP_ADDRESS%/search?q=0

This malware may also use two other paths for binary validation and execution that both bypass the use of the parameter.

The NetpwPathCanonicalize_hook in NETAPI32.DLL has a function which checks for a generated URL in the RPC traffic. If the URL is valid, it downloads the hosted file. This worm does some checking and if it passes calls CreateProcessA to execute the downloaded file.

This worm creates a named pipe with the following format:

"\\.\pipe\System_7".

It will then connect to the pipe and, if it does not return an error, reads from it. The data obtained from the pipe will then be passed to the call_create_thread_download function which is responsible in downloading, validating and executing the downloaded file.

Other Details

This worm hooks the following APIs to filter out list of antivirus-related sites when being accessed on the Internet:

• DnsQuery_A
• DnsQuery_UTF8
• Query_Main
• Query_Main

When users attempt to access antivirus-related sites, it returns a reply informing the user that the server is down.

It blocks access to Web sites that contains any of the following strings, which are mostly related to antivirus programs:

• ahnlab
• arcabit
• avast
• avg.
• avira
• avp.
• bit9.
• ca.
• castlecops
• Ccert.
• centralcommand
• clamav
• comodo
• computerassociates
• cpsecure
• defender
• drweb
• emsisoft
• esafe
• eset
• etrust
• ewido
• f-prot
• f-secure
• fortinet
• gdata
• grisoft
• hacksoft
• hauri
• ikarus
• jotti
• k7computing
• kaspersky
• malware
• mcafee
• microsoft
• nai.
• networkassociates
• nod32
• norman
• norton
• panda
• pctools
• prevx
• quickheal
• rising
• rootkit
• sans.
• securecomputing
• sophos
• spamhaus
• spyware
• sunbelt
• symantec
• threatexpert
• trendmicro
• vet.
• virus
• wilderssecurity
• windowsupdate

Affected Platforms

This worm runs on Windows 2000, XP, Server 2003, Vista 32-bit, and Vista 64-bit.

Analysis By: Jeffrey F. Bernardino

Revision History:

For additional information about this threat, see:
Overview
Solution

Search a new malware

Tell us how we did. Take our quick survey.