|
Details:
Infection
Upon execution, this worm copies itself to a KERNEL32.EXE file in the Windows System directory. It then checks the process list for the presence of KERNEL32.EXE. It deletes all instances of the KERNEL32.EXE process in memory and then creates a new worm process and a new copy of KERNEL32.EXE.
Thereafter, it registers itself as system service not visible in the task list on Windows 9x systems. It then retrieves the RAS account information, the user name, and the computer name of the infected system. To gather more information about the target system, it installs a keylogger on the local machine as KDLL.DLL. This DLL worm exports the following four (4) functions: - “GetData”
- “KeyLogOn”
- “KeyLogOff”
- “KeyLogOpt”
It records all keystrokes, the date, time, user name, and the application name where a keystroke was typed, in encrypted form, to a CP_25389.NLS file. It then connects to a SMTP server to send the information via email to a specific email address. The information in the email may contain sensitive information such as documents and passwords. A sample of a keylogger entry is as follows:
Sun, 25 Nov 2001 06:39:49, Computer: "INFECTPC" User: "Infect PC"
Title: "Run", 06:41:04
cmd.exe
Title: "Untitled - Notepad", 06:41:13
Testing keylogging in notepad.
Trend Micro antivirus detects the KDLL.DLL file as WORM_BADTRANS.B.
To execute itself on the next Windows startup, it creates the following registry entry that executes the KERNEL32.EXE file upon Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce\kernel32 = “kernel32.exe”
To cover its traces, the worm deletes the source worm executable and leaves the copy located in the Windows System directory.
Mail Distribution Routine:
The worm distributes its copy in several ways. It replies to incoming messages and sends emails with itself to the email address found in the “*.HT ” and “.ASP” files. To do this, the worm searches for the files located in the directory specified in the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Shell FoldersPersonal (usually contains c:\My Documents)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\Cache\PathsDirectory (contains temporary Internet files)
Email Details:
The mail contains no message and the headers may contain the following bogus information:
From: (this is randomly selected from the following list)
" Anna" <aizzo@home.com>
"JUDY" <JUJUB271@AOL.COM>
"Rita Tulliani" <powerpuff@videotron.ca>
"Tina" <tina0828@yahoo.com>
"Kelly Andersen" <Gravity49@aol.com>
" Andy" <andy@hweb-media.com>
"Linda" <lgonzal@hotmail.com>
"Mon S" <spiderroll@hotmail.com>
"Joanna" <joanna@mail.utexas.edu>
"JESSICA BENAVIDES" <jessica@aol.com>
" Administrator" <administrator@border.net>
" Admin" <admin@gte.net>
"Support" <support@cyberramp.net>
"Monika Prado" <monika@telia.com>
"Mary L. Adams" <mary@c-com.net>
Subject: (this is randomly selected from the following list)
"info"
"docs"
"Humor"
"fun"
Attachment: (This is divided into 3 parts, basename, first extension, and the second extension.)
Basename:
"Pics"
"images"
"README"
"New_Napster_Site"
"news_doc"
"HAMSTER"
"YOU_are_FAT!"
"stuff"
"SETUP"
"Card"
"Me_nude"
"Sorry_about_yesterday"
First Extension:
".DOC."
".ZIP."
".MP3."
Second Extension:
"scr"
"pif"
The worm uses the default account and the default SMTP server of the local machine. This information can be found in the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\0000000
SMTP Email Address
SMTP Server
Another distribution method of this worm is that it replies to unread emails. The Subject field in worm messages is the same as the Subject of the original message prepended with "Re:." Revision History:
For additional information about this threat, see:
Overview
Solution
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
