Weekly review

A new worm has been released in the wild since nov. 2008, however it is until recently that it got our attentions due to its great number of infected machines.
It is reported that more than 500.000 Pc’s have already been compromised and the numbers are growing fast. However before we look into the technical details of the menace, let’s take a look at two other naggers that appeared lately.
This is a small Javascript that exploits the Sina DLoader vulnerability in order to download and execute arbitrary code. Analysis of the most wide spread script shows that the downloaded applications are online games password stealers or sometimes other malware. Tests also yield that the BitDefender antivirus heuristically detects and removes these threats.

Upon execution this malware drops two files in the %TEMP% folder: tmp1.tmp and tmp2.tmp.

The first file is injected into spoolsv.exe under the name dll.dll and it serves to communicate with a website at http://94.[removed].104. It will also change the DNS settings to a custom Domain Name Server that will server the victim with fake websites in order to steal their data.

The second file is a modified version of advapi32.dll which is copied over the original version. It is used to load the dll.dll file at every system startup (it is detected as Trojan.Patched.CK).

In order to spread it creates an autorun.inf file, pointing to [drive]resycledboot.com on all removable drives.

This worm spreads inside the local area network by exploiting a vulnerability in the Windows RPC Server Service (MS08-067) or by means of a dictionary attack on the administrator password while trying to access network shares.
The e-threat comes wrapped in obfuscated layers of code which aim deferring its analysis. The layer itself even comes in two flavors: either packed with UPX or not packed, but always obfuscated. To further hinder detection the code is never written to disk and doesn’t contain any PE headers, which make it look like an invalid executable.
Once executed on a system, the worm performs the following actions:
–      hooks NtQueryInformationProcess from ntdll.dll inside the running process 
–      creates a Mutex based on the computer name
–   injects itself into explorer.exe and svchost.exe or sometimes services.exe(we’ll see below why)
–      changes registry values to hide files with the hidden attribute
–      copies itself into one or more of the following locations:
1. %Program Files%Internet Explorer[Random Name].dll
2. %Program Files%Movie Maker[Random Name].dll
3. %Documents and Settings%All UsersApplication Data[Random Name].dll
4. %Temp%[Random Name].dll
5. %System32%[Random Name].dll
–      it adds registry entries to ensure  its startup after system reboot  
–      it deletes all System Restore points
–      disables the auto-tuning  feature under Windows Vista
–     if residing in services.exe (only on Windows 2000) it hooks the following apis:
1. NetpwPathCanonicalize from netapi32.dll – this api is used to avoid reinfection of the local machine from other infected computers
2.  sendto from ws2_dll.dll – in order to block access to certain websites
–  if residing in svchost.exe or explorer.exe it hooks the following apis:
1. NetpwPathCanonicalize from netapi32.dll – this api is used to avoid reinfection of the local machine from other infected computers
2. DnsQuery_A, DnsQuery_W, DnsQuery_UTF8, Query_Main from dnsapi.dll – in order to block access to certain websites
– changes the maximum number of simultaneous connections allowed by either patching tcpip.sys with one of its own versions or modifying a registry entry
– disables windows update
– it connects to the following addresses to get the ip of the infected computer:
1. http://www.getmyip.org
2. http://www.whatsmyipaddress.com
3. http://getmyip.co.uk
4. http://checkip.dyndns.org        
With the ip address the malware creates a http server on the infected machines which are used by the other exploited PCs to download the worm. This way the worm doesn’t have to rely on a central location from where it can spread, instead it can act as a host as well.
– The worm also monitors remote and removable drives and writes an autorun.inf file and a copy of itself on them to further spread.
– Connects to the following websites to get the current date and month:
1. w3.org
2. ask.com
3. yahoo.com
4. google.com
5. baidu.com
– using the date obtained before, it generates a list of domain names from which it either updates itself or downloads other malware.

    Examples of domains generated for the 9th of January 2009 are: opphlfoak.info, mphtfrxs.net, hcweu.org, tpiesl.info, bmqyp.com, aqnjou.info, kxxprzab.net, gjbueqbdb.com
-  it removes every file right from all users except execute and directory traversal in order to protect itself from being deleted

Information in this article is available courtesy of BitDefender virus researchers: Marius Vanta, Dana Stanut, Daniel Radu and Mihai Cimpoescu