hey ppl! i've stayed up all night to present you as the very first a complete analysis of this new worm. as this is a follow up to my previous posting, i won't go into detail. now i've analyzed also the "backdoor" that is installed by the mainthread of the worm. this backdoor gets written to c:\explorer.exe and because of this should be executed when windows starts. as the worm will start windows after 24 hours after infection (or 48 hours if it's a chinese system), the backdoor _will_ be executed. the backdoor first executes the original WindowsDir\EXPLORER.EXE and will then start to get into an endless loop: - wait a minute. - try to set some registry entries: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable=0xFFFFFF9D this is a undocumented value and _disables_ the windows file protection (aka System File Checker SFC). for further reading check out http://www.collakesoftware.com/files/sfcinfo.txt then it will check out SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/Scripts and SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/MSADC and will change the permissions for these vr entries to 217. i don't know what this value is suposed to do, i didn't find anything on the net. but i supose it will grant the highest possible access to these directories. after that it will install 2 additional virtual roots: /C pointing to c:\ and /D pointing to d:\ both get created with the same permissions as stated above. that's it. the "backdoor" will cycle. this means servers that have been rebooted will give full access to both c:\ and d:\ and to the script directories. as there was cmd.exe copied to these directories by the worm before, the system can easily be compromised. now i'll write some short info on the worm if somebody missed my first mail. the worm won't infect one server multiple times. after that it spawns 300 threads (if on a chinese system it will spawn 600). these threads start to infect hosts on a pseudo-random number basis: a random ip is created (not allowing 0xff and 0x0 bytes). this ip is masked randomly by: 0.0.0.0 (possibility 12.5%) 255.0.0.0 (possibility 50.0%) 255.255.0.0 (possibility 37.5%) the masked parts will be filled up with the host's ip. this means the worm mainly spreads in the subnet it is at the moment. the worm will not try to infect 127.x.x.x or 224.x.x.x nor it's own ip (where it runs atm). it will connect with a 10 sec timeout, thus disabling these slow-down SYN+ACK faker. then it will upload the whole wormcode, recv one byte and start again to infect. the mainthread is meanwhile doing other things: it copies WindowsDir\CMD.EXE to c,d::\inetpub\scripts\root.exe and to c,d:\progra~1\common~1\system\MSADC\root.exe . it will also install the backdoor described above at "c,d:\explorer.exe". after that the mainthread will sleep 24 hours (on chinese systems 48 hours) and will then reboot the machine. furthermore every thread checks the time before generating a random ip and will restart the computer if year >= 2002 or month >= october. a .zip file containing a IDA Pro project file and a plaintext disassembly for both worm and backdoor can be found at http://www.eikon.tum.de/~simons/ida_root/ cheerz corecode ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 09:30:41 PDT