We have executed the attachment in a controlled environment with Regmon and Filemon running to track Registry and File accesses. Regmon shows that the worm changed two registry keys: 739 59.36779760 Userconf SetValueEx HKLM\Software\Description\Microsoft\Rpc\UuidPersistentData\ClockSequence SUCCESS 0xA2E 740 59.36783360 Userconf SetValueEx HKLM\Software\Description\Microsoft\Rpc\UuidPersistentData\LastTimeAllocated SUCCESS 40 D3 9C 15 EB C These don't appear to be hostile behavior--these keys seem to be changed by other programs as well. It did access, but apparently did not attempt to write to, WIN.INI. It created a temporary binary file at C:\WINDOWS\TEMP\~DFE855.TMP (this was a Win98 machine), which we're still looking at to see what it's function is. It is not a copy of the worm, as it is significantly smaller. It contains the following text strings: R\0o\0o\0t\0 \0E\0n\0t\0r\0y rn1org It creates the following files: 411 0.00014800 Userconf Write C:\COMMON.EXE SUCCESS Offset: 0 Length: 10240 428 0.00018800 Userconf Write C:\REDE.EXE SUCCESS Offset: 0 Length: 10240 445 0.00018960 Userconf Write C:\SI.EXE SUCCESS Offset: 0 Length: 10240 462 0.00018480 Userconf Write C:\USERCONF.EXE SUCCESS Offset: 0 Length: 10240 479 0.00018320 Userconf Write C:\DISK.EXE SUCCESS Offset: 0 Length: 10240 The files other than DISK.EXE are already known to be possible names of email attachments. All the files are identical copies of the worm. The worm then launches Outlook and attempts to send copies of itself out. I have forwarded copies of the worm to McAfee and CERT for further analysis. So far, from our analysis, we have only found that the worm propagates itself. Further analysis will be necessary to determine if there are any other effects. Markus De Shon, Ph.D., GCIA #0227 <mdeshonat_private> Research Manager -- SecureWorks, Inc. -- 404 327-6339x127 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 11:09:26 PDT