Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 7: Network worms

Network Worm Allaple.b
(aka Rahack.W and Rahack.BB )

Introduction

Allaple.b worm was discovered somewhere in late 2006 (late November or early December of 2006 ???) and was active for several month after that. It has several strains. The same computer can be infected with several different strains of the worm, for example both B and H.

It propagates rather slowly and does not create any "avalanche epidemics", but it does propagate steadily and at the beginning signatures from major AV vendors for detecting and removing the worm were very weak and that definitely helped the worm to obtain a critical mass. In March 2007 (three month after the initial detection, if we assume December is the right date) they got slightly better as many customers start complaining about lousy job AV vendors are doing with this particular worm.

The correctness of the description of major AV site of the worm was nothing to boast about and is somewhat below normal.

Description

Allaple.b is a polymorphic network worm that contains just one executable. Polymorphism means that every copy of the worm is slightly different from each other as for the content (probably due to polymorphic decryptor), but paradoxically the length of all instances is constant (57856 bytes).

When worm's executable runs it behaves like old polymorphic file viruses -- the polymorphic decryptor decodes the body and then control is passed to the this static part of the worm code that allocates a memory buffer and extracts the main worm's code into it. Only after then the control is passed directly to the extracted worm's code. At the same time while going to such length as for encryption the worm body author(s) left the size of the worm's executable file constant.

Here is how F-secure describes initial stage of the infection:

After getting control, the worm creates a few threads. One thread scans for vulnerable computers (on TCP ports 139 and 445) and sends exploits there in order to infect them.

... ... ...

The other thread scans for .HTM and .HTML files on all local hard disks and infects them by prepending a reference to worm's CLSID there. The worm creates a different CLSID for every copy of itself that it creates on the hard drive. The number of these copies can be quite large. The names of the worm's files are random. For example:

One of the remaining threads performs a DoS (Denial of Service) attack on three websites located in Estonia

The worm first establishes itself as a service visible in HijackThis but if some HTML files are present of the drive that there are several additional keys used to invoke this worm besides the urdvxc.exe executable. Still the presence of the service is probably the most simple way (the presence of the service is sufficient but to required sign of the worm presence -- many AV programs might delete it without fully disinfecting computer and making the detection of the worm more difficult). You can use this to detect the infection:

O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINNT\system32\urdvxc.exe" /service (file missing)

When scanning the drive for HTML files the worm generates and drops a lot of executables with extension .EXE and with random names that contain exactly eight characters. The only exception is the first executable which in strain B (that we are discussing) always has the name urdvxc.exe hardwired in the worm code.

The worm does scan ranges that include ports 139 and 445 but what it does with the results is less clear. I did not see any communication of port 445 that resembles exploit (only worm body transferes via SMB, but I did not investigate the worm in details either. Some infected computers have patches installed so brute force password attack might be the main propagation vector. Sites that the worm targets include www.if.ee and www.starman.ee so watching attempts to resolve those two names via NetBIOS and DNS helps to identify infected PCs.

In case of NetBIOS the worm activity is showing as NetBIOS name requests looking for these two hosts that are sent to the local segment broadcast address. On slow network that might cause the problem if many PCs get on line at the same time in the morning: in this case this simultaneous NetBIOS activity from nay hosts would be kind of a DoS attack.

Traffic on Port 137

The behavior of the worm is pretty complex and any description, including this one, should be taken with a grain of salt. Looks like it the main traffic is generated on port 137 (part of the traffic consists of attempts to resolve the the names of the sites that the worm attacks). That means that monitoring NetBIOS activity on target port 137 on the site router might help to identify infected PCs and servers. The simplest implementation is to monitor the presence of the strings

"CFPFPENFDECFCEPFHFDEFFPFPACAB" (Offset 10 hex in the payload)

and probably

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAA" (same offset)

There are also special ICMP packets generated by worm and they also can be monitored. I noted two: One contains the string ""Hello, is anybody home" and the second hex string "01 3A 01 B6 00 00 00 00".

Snort generic signatures can detect attempt to access share C$ on DHCP segments if configured properly:

Mar 1 15:48:11 mysnort snort: [ID 702911 local5.alert] [1:538:15] NETBIOS SMB IPC$ unicode share access [Classification: Generic Protocol Command Decode] [Priority: 3]: {TCP} 10.201.88.197:4874 -> 10.194.141.215:139

Along with port 139, port 445 can be used too:

NETBIOS SMB-DS IPC$ unicode share access 2007-03-07 22:36:15 10.200.210.5:3958 10.194.156.49:445 TCP

It looks like the worm does not write any information on the disk when it is active after first scan when it is dropping dozens of randomly named (but always with eight character names) EXE files with its body in directories in which it modifies html files (see below). Still it looks like instances of the worm might be able exchange some kind of information about scanned subnets or vulnerable hosts.

Besides port 137 on which there is most traffic the worm generates due to target discovery attempts it also generates some traffic on other ports. The activity on port 427 became noticeable only if you shut down NetBIOS (see below). Here is the total list:

427 / udp [sans] [portsdb] [tantalo] [sstats]
53 / udp [sans] [portsdb] [tantalo] [sstats] DNS traffic
137 / udp [sans] [portsdb] [tantalo] [sstats] NetBIOS name res.request
138 / udp [sans] [portsdb] [tantalo] [sstats] NetBIOS reply
23 / udp [sans] [portsdb] [tantalo] [sstats] The initial attempt to telnet to the default router.
161 / tcp [sans] [portsdb] [tantalo] [sstats]
67 / udp [sans] [portsdb] [tantalo] [sstats]
68 / udp [sans] [portsdb] [tantalo] [sstats]

While most infections are allaple.b which is probably the most successful strain of the worm simultaneously there are some are allaple.d (also for some reason called backdoor.win32.rbot.bni by F-secure) . C$ share is accessed by the worm on port 445 and it should be exportable.

NETBIOS SMB-DS IPC$ unicode share access 2007-03-07 22:36:15 10.200.210.5:3958 10.194.156.49:445 TCP

Looks like the propagation functionality is heavily dependent on presence of NetBIOS so shutting down NetBIOS (see below) looks like a simple and effective countermeasure.

The intial "drop" file

The initial file the worm uses to install itself is c:\winnt\system32\urdvxc.exe When F-secure (or Kaspersky) AV is present it looks like with current signatures (let's say later then March 1, 2007) it either deletes the initial bootstrap file c:\winnt\system32\urdvxc.exe or modifies the worm behavior so that instead of the original location this file is often found in the root directory of the drive (c:\urdvxc.exe ). Also (more rarely) a truncated name (just .exe ) is reported in the c:\winnt\system32\ directory instead of c:\winnt\system32\urdvxc.exe:

c:\winnt\system32\.exe

The fact that F-secure have found the worm in no way means that the disinfection is completely successful but absence of infected HTML files at least signifies that it is a partial infection and worm service was not fully operational or the worm bootstrap executable was deleted from the registry and memory before it launched hard drive scan that results in a bunch of modified HTML files and eight character executable spread over directories that typically contain only HTML files and documents. presence of modified HTML files suggest that worm at one point of time was fully operational on the computer (they are usually incorrectly detected as belonging to strain A by F-secure).

Anyway it is important to understand that the latest signatures do better job then older and it is important to have them up-to-date: while not always able to fully disinfect or prevent reinfection the presence of F-secure somehow interfere with worm propagation mechanism in such a way that it slows down further propagation of the worm (constant deletion of files might be pretty annoying to the worm :-). Also one can benefit from using the most recent version of AV products, which unfortunately is not the case in many large organizations. Old antivirus usually have deficient engines (unless they are pluggable like in Trend Micro) and as such cannot be even remotely as effective as the most recent one.

For D strain of the worm F-secure currently detects a different file:

c:\irdvxc.exe

Infection of HTML files

This method used by the worm is pretty unique and was never used by previous worms. During scan of the drive that follows the infection the worm creates multiple files in directories that contain HTML files. When it finds htm or html file, the worm creates an executable file with a random name, and modifies the HTML file to run the executable file every time it is opened. In case of temporary IT folders that essentially guarantee reinfection even if registry was cleaned if the folders are not cleaned (a special setting in Tools/Internet options/ Advanced called "Empty Temporary Internet Files folder when the browser is closed" should be checked in IE). In corporate environment such change can be performed via uniform modification of registry for all desktops.

Please note that after each reboot the scan is repeated and if there are additional drives (for example backup USB drives or flash drives ) connected all HTML files on those drives will be modified as well and multiple (sometimes hundreds) of EXE files with eight character random name and length 57856 dropped in particular folders.

It important to stress that for this particular strain of the worm (version B) each dropped executable has a name with exactly 8 characters in length and fixed size 57856 . So they are pretty easily detectable even without antivirus.

HTML files in this directory are modified to point to this file in <object> tag that the worm inserts in them just after <html> tag.

The simplest way to detect it is to look on all EXE executables with 8 characters in name and the size mentioned above (57856). You can get the list of all 8 character EXE files present on C: drive using the command:

dir ????????.exe /S > potentially_infected_exe.lst

Another simple detection method that does not requires antivirus is to check html files for the presence of the additional header line that the worm inserts. Infected HTML files are usually modified by inserting the line just after the <html> tag. The inserted line consist of <object> tag that references the executable (CLSID is generated and will be different for each instance ):

<html>
<OBJECT type="application/x-oleobject"CLASSID="CLSID:12742644-30F8-2195-13BE-5F6F491177B1"></OBJECT>

<head>
<title>Adobe Web Buy</title>
</head>

You can use Windows find command to detect this change. For example the following command can help:

find /N "application/x-oleobject" *.htm? > potentially_infected_html_files.lst

Here is the result of the test run (note that the key /N for Windows find utility provides the line number and the line should generally the second line or at least follow <html> tag (in all examples below it is the second, but I do not know how consistent this behavior is, if for example the file starts with several empty lines or a comment block):

---------- TEMPLATE1.HTML
[2]<OBJECT type="application/x-oleobject"CLASSID="CLSID:12742644-30F8-219
5-13BE-5F6F491177B1"></OBJECT>

---------- TEMPLATE2.HTML
[2]<OBJECT type="application/x-oleobject"CLASSID="CLSID:C4C4ADF1-497C-412
2-CBD0-2BE8C832F6E7"></OBJECT>

---------- TEMPLATE5.HTML
[2]<OBJECT type="application/x-oleobject"CLASSID="CLSID:850FAFF3-980C-F31
3-A9B3-ED3A6F4449BC"></OBJECT>

Detection

You cannot base detection on the presence or absence of urdvxc.exe on the hard drive or corresponding registry entries. The worm creates several registry key and key pointing to urdvxc.exe is only one of them. Also the worm is designed to be launched from temporary internet folders if they are not cleaned after browser shutdown (there is a special setting in IE that controls this and by default folders are not cleaned).

In large corporation environment you can use Netware login scripts or similar methods to get the list of executables with a given size and list of HTML with object tag:

dir ????????.exe /S > potentially_infected_exe.lst
find /N "application/x-oleobject" *.htm? > potentially_infected_html.lst

Actually if SFU 3.5 is installed on each client (it should be for a decent large corporation with intelligent IT staff :-) you can use Unix utilities (find and grep in this case with possible awk or Perl post processing to get just files with the size 57856 with similar and correlating to modified HTML files dates of creation). That would be a big, big improvement over the usage of standard MS Windows utilities. I think SFU 3.5 should be considered an important corporate AV tool.

I think SFU 3.5 should be considered an important corporate AV tool.

After running the script you can see where the worm puts executable and modified HTML files. Usually (without antivirus interference) executables can be found in the same directories as modified HTML files. For example: Adobe Acrobat Reader, MS Office, Oracle client, or whatever application is installed on corporate PC. This greedy approach greatly simplifies detection.

If this information is stored in per user directory on a shared drive the picture of infection of the site instantly became more or less clear no matter how good the antivirus you use is in detecting the worm. Also there is always a problem with stale AV definitions that is rampant in any large deployment; so you cannot fully rely on antivirus in such cases; moreover versions deployed are often one of two generations behind current (especially on remote laptop used by field personnel) and as such represent mostly historical interest ;-). Some government agencies use Tivoli Configuration Manager to propagate AV signature files instead of vendor-provided solutions; that might be more reliable solution but still large deployment is always a large deployment.

This method is bad for remote PCs but it can modified for them to send information via SMTP instead of writing it on network drive. In this case the package with the script and possible mailer and instruction for use it can be mass-mailed to all remote users. Actually this might be in general better idea then using shared network folder even for regular users.

There are a lot of high quality command line SMTP mailers for Windows available. Blat is probably the most popular. It was developed by Pedro Mendes and Mark Neal at the University of Wales at Aberystwyth. There is also command line client for Lotus Notes, see alphaWorks Lotus Notes Command Line Email Client. See Mailers

The other method is to use greedy behavior of the worm in infecting HTML files. That need presence of a a network directory for each user. If you put a couple of fake HTML files in the user network directory they will be infected by the worm on the next reboot. That might also be a viable method of accessing which PCs are infected but it does not work for remote PCs which are probably the main danger.

Disinfection

I am not a proponent of playing with disinfection of PC from complex worms or spyware on your own. This is the domain of AV vendors and at the beginning they do usually their job only mediocre or worse. A better method is restoration of the most recent Ghost image with preliminary copying of all user files into network drive or other location. See Softpanorama Strategy of Fighting Spyware for more information.

Microsoft as a newcomer to AV field and as an organization with a lot of IQ might be the most competitive for such complex worms. It is also cheaper that usual AV troika and thus might be recommended for home users. Also one need to remember that security related support calls to Microsoft are free. But this is just a theoretical consideration. I never used their AV product (I do use Windows Defender) or support calls.

Exploiting Weak Passwords: a Warning Shot for Inadequate Corporate Password Policies

Several vendors reported that the worm tries some kind of brute force network share passwords cracking using a fixed dictionary. I do not know details, but the content of the dictionary AV vendors lists for the worm is pretty instructive and any person or organization should ensure that such passwords are never used. This is actually a nice test of corporate password policies and the level of its enforcement, more objective that any multimillion dollar SOX compliance reviews ;-). And the picture is not pretty: most corporations have severe problems in this area.

According to Symantec the following set of passwords is used by the worm:

0,00, 000,0000,00000,000000,0000000,00000000
1,12,123,1234,12345,123456,1234567,12345678,123456789
abc123,access,adm,Admin.alpha,anon,anonymous,asdfgh
backdoor,backup,beta,bin
coffee,computer,crew
database,debug,default,demo
go,guest
hello
install,internet
login
mail,manager,money,monitor
network,new,newpass,nick,nobody,nopass
oracle
pass,passwd,password,poiuytre,private,public
qwerty
random,real,remote,root,ruler
secret, secure, security, server, setup, shadow, shit, sql, super, sys, system
telnet, temp, test, test1, test2
visitor
windows, www
X

Here is another, also pretty instructive, set (for strain A ??? )

• "123456789"; "12345678"; "11111111"; "password"; "qwertyui";
"00000000"; "12341234"; "87654321"; "!@; $%^&*"; "*&^%$; @!"; "!@;
$%^&*()"; "!@; $%^&*("; "(*&^%$; @!"; ")(*&^%$; @!"; "23456789";
"PASSWORD"; "mypassword"; "remoteadmin"; "987654321"; "0987654321";
"09876543"; "PASSWORD"; "5tg6yh"; "MyPassword"; "55555555";
"999999999"; "22222222"; "20022002"; "20032003"; "20042004";
"20052005"; "windoze2k"; "88888888"; "1234567890"; "0987654321";
"nopassword"

That means that the worm will be pretty successful in lab environment: on all kind of test, quality, regression PCs where people often do not conform to corporate wide password policy and the PC or server itself is not configured to prevent the choice of weak passwords or patched since the installation. It can also be pretty successful for second desktops used for testing and development in organization uses such.

Also that means that change of the password policies is probably the simplest and most important measure to fight this and all future network worms that use this vector of attack. This is also important for home Pcs that now regularly contain important financial data and documents. Actually for this reason anybody who shares the PC that is used for preparing tax return with children in the USA is really negligent unless virtual machine environment is installed (for example Virtual PC 2007, which is free). This worm did not transfer or post documents from the PC anywhere but there is no grantee that future will not and as you understand AV programs are always late to catch a successful worm; otherwise it will never be successful ;-)

Fixing broken password polices

In large organization environment the "call to arms" due to this worm definitely need to fix broken password policies. The simplest measure here is not requiring over-complex passwords by installation of some draconian password policy, but simply increasing the increasing the minimum length of password to, say 10 or 12 letters and, simultaneously (and that's very important) asking users to switch to "AOL style" passwords which consist of two concatenated words (like in "MyNew-8896"). If implemented across the board this simple measure provides adequate protection for this and all similar network worms that try to utilize brute force password attacks, sophisticated or not. To simplify memorizing of such password the second word should not be secret, just unique for each user: one simple method is to use your phone extension as the second part of password. The other is to use month and date of your birthday, or you car plate number -- all kind of "prohibited passwords selection" recommendations work wonders for simplifying memorizing of the second word :-). The fact that only the first part is really secret but that's enough protection in any organizations outside military. For those who still want to make password stronger in the first part you can practice standard methods that makes that size of the dictionary larger (using different case almost double the size of the dictionary and as such is the most effective):

It is important to avoid too much zeal in increasing passwords complexity as forgotten password is also a problem and a very real one that costs organizations probably more money then any worm epidemics. Excessive zeal in raising the complexity of passwords can probably do more harm then good and essentially compromise otherwise good measure turning it into yet another bureaucratic perversion that users resent and even try to sabotage: passwords written on the monitors or sticked under the keyboard are classic examples of the effects of the overcomplexity in password creation. So the key here is not to overburden the users with additional complexity, but constructively change the practice from selecting one word to selecting two which actually can increase the ease with which passwords are memorized.

Excessive zeal in increasing the complexity of passwords usually backfire

Here are options which Microsoft provides for configuring password policies

See also

The problem of policy enforcement

But the road to hell is paved with good intentions and it is not enough to have a policy; it also needs to be uniformly enforced. And that is much more difficult and challenging part of the whole effort. It is really easy to do for most desktops that use Active directory but many "special PC" do not use it. So this problem is really the key problem and only by draining swamps of semi-abandoned test, quality, regression and other PCs in each organization one can solve it. Checking PC for compliance when it gets IP address via DHCP (network access control) is probably the only method but you can easily defeat DHCP by hijacking free IP address and never switching the PC off. Tivoli (or other similar system) monitoring deployment of Active Directory usage might be the other viable measure. I do not see any royal road here but some measures definitely needs to be taken. It's actually pretty funny when such worms as Allaple.B propagate in organizations certified by external auditors for compliance with SOX: they might be better off returning the consulting fees to stay honest ;-).

Generic method of fighting Allaple and other network worms that use NetBIOS (ports 137-139)

As Allaple/RAHack worm like several others is programmed to use NetBIOS ( it heavily uses port 137 ) so if we disable this service it loses its ability to propagate. While this is an inoculation and not disinfection but is can suffice.

To do this you need to go to TCP properties for a particular network adapter that you are using (this is per adapter setting so on docked laptops you need to deal with two adapters; or three if we count wireless), go to Advanced, then WINS and click on "Disable NetBIOS over TCP/IP" setting.

See Microsoft article Direct hosting of SMB over TCP-IP(http://support.microsoft.com/support/kb/articles/Q204/2/79.ASP) for additional details (it looks like this setting can be enforced via Microsoft DHCP server or group policy if Active Directory is used).

I got the original idea from the following email:

NetBIOS-free SMB protocol on port 445 in Windows 2000-XP

Jay Ts jay at toltec.metran.cx
Wed Aug 29 21:52:52 GMT 2001

Chris Hertel wrote:
> Yes, we know.  Have known for over a year.
> I think it was Tridge who convinced Microsoft to use port 445. 

Cool.  So can I assume that it will be no problem to add support for it?
And are plans for such in process?

- Jay Ts

------------------------------------------
> > Hi,
> > 
> > Yesterday a friend forwarded to me this URL at Microsoft:
> > 
> > http://support.microsoft.com/support/kb/articles/Q204/2/79.ASP
> > 
> > It is about support in Windows 2000/XP for running SMB for
> > file and printer sharing over port 445, with no overhead of
> > NetBIOS.
> > 
> > The question of course is, are the Samba Team aware of this,
> > and can it be supported in future versions of Samba?
> > 
> > The webpage says it is possible to set up a Win 2000/XP network to
> > only use the new protocol, and shut out SMB/NetBIOS networking on
> > ports 137-139 entirely.
> > 
> > - Jay Ts

Other common sense measures

There are also common sense measure that are applicable to this and other network worms:

  1. On home and personal PC it make sense to use two hard drive partitions instead of one on your PC or laptop harddrive. It is a very questionable practice to have just one C partition but with Partition magic this is easily correctable situation. You need at least two: one for system drive (probably 20G or less) and the second for your data. Of course Microsoft screwed things by allocating user home directories on C drive but this in a minor nuisance. You can create and use other folders. You can also link those folders from your C drive directories (for example using SFU3.5 ln command). Actually 4G partition is usually enough for the most critical data and you can create such partition separately from the partition with all multimedia files. It can be FAT32 partition as such partitions are more easily recoverable (and of course is less secure, if somebody wants to take default NTFS security seriously). With smaller partitions manual recovery is more feasible. Going to the third parties to recover a single partition might also be cheaper. Also recovery tools for FAT32 are more sophisticated (or used to be more sophisticated; I actually do not know the current level of that art of NTFS recovery). There are also larger variety of free of semi-free tools for this purpose.
  2. Use Ghost to create the image of drive C and update it periodically burning each on double layer DVD. For home users with a separate system partition (see above) double layer DVD is optimal for strong images and you will never need sophisticated disinfection if you have more or less recent image see Softpanorama Strategy of Fighting Spyware.

    No worm can survive Ghost 2003 defense ;-). Make a habit periodic, say once a week creation of new Ghost images on DVD or schedule them automatically (you might need Ghost 2005 or later for that).
    Ghost 2003 is almost freeware but still a very useful tool.
  3. Enable automatic updates from Microsoft. Most desktop can survive OK Microsoft automatic updates and that measure alone guarantees that you will not be taken for ride by a worm which uses three years old vulnerability like Alaple supposly does. In case you get in trouble you can always use one of your recent Ghost image of system drive to repair the damage.
  4. On home computer use Windows Protector (if you have 512M or memory or more on XP; might slow down older laptops). It has pretty good process viewer that helps to detect worms and spyware. If you have less them 512M of memory use some third part process viewer
  5. Think about possibility of cracking your password when creating it but do not overdo it as forgotten passwords are a problem too. "AOL scheme" described above works pretty well because passwords became reasonably long and the longer password is, the more difficult to crack it.
  6. If you use AV software on your PC, then periodically, say once in two weeks, check manually if AV definitions are current (that's especially important if you are a remote user in a large corporation and use a slow connection). Sometimes automatic update stop working.
  7. Switch your desktop off when you leave the office -- users who leave their computer on all the time give the network worm additional chances to discover and infect them. Also even from the point of view of energy conservation it is better to switch desktop off when you do not need it or at least at the end of the day. Laptops are better in this respect.
Top Visited
Switchboard
Latest
Past week
Past month

Webliography

Supplement

Description of W32.Rahack.W on Symantec site was the earliest description that more or less corresponds to observed behavior of Allaple.b although they missed several things that we mentioned above. Here are some relevant quotes:

Discovered: January 15, 2007 Updated: January 28, 2007 10:34:08 AM Type: Worm Infection Length: 57.856 Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Rahack.W is executed, it performs the following actions:
  1. Copies itself as the following file:
    %System%\urdvxc.exe

    Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSWindows
    HKEY_CLASSES_ROOT\CLSID\[RANDOM_CLSID]

    ... ... ...

  3. Searches for .htm or .html files on the compromised computer. If found, the worm creates an executable file with a random name, and modifies the .htm file to run the executable file every time an .html file is opened.
  4. Creates a service with the following properties:

    Service Name: MSWindows
    Display Name: Network Windows Service

    ... .... ....
  5. Attempts to access remote Windows shares on TCP ports 139 and 445 [note -- I did not noticed any attempts to use the port 445 unless the password is cracked and the worm mounts the share to infect this computer -- nnb] by exploiting the above list of weak passwords and using the following standard Windows usernames:
    • ASPNET
    • Administrator
    • DHCP
    • HelpAssistants
    • HelpServicesGroup
    • ILS_[GROUP-USER]
    • IUSR_[GROUP-USER]
    • IWAM_[GROUP-USER]
    • NetShowServices
    • OWS_[GROUP-USER]
    • POP3
    • SQL
    • SQLAgentCmdExec
    • SQLDebugger
    • SQLServer
    • SUPPORT_388945a0
    • TelnectClients
    • TsInternetUser
    • VUSR
    • WEB
    • WINS
    ... ... ...
  6. Generates ICMP traffic and ping requests on the local network to seek out attackable remote machines. (really quite a lot of traffic after the startup -- NNB)
  7. Attempts to contact the following remote locations:



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019