More info on DarkMachine

From: Markus De Shon (mdeshonat_private)
Date: Wed Oct 17 2001 - 10:35:57 PDT

  • Next message: dr john halewood: "Re: portscan on tcp ports 1024 to 1280"

    We have executed the attachment in a controlled environment with Regmon
    and Filemon running to track Registry and File accesses.
    
    Regmon shows that the worm changed two registry keys:
    
    739     59.36779760     Userconf        SetValueEx
    HKLM\Software\Description\Microsoft\Rpc\UuidPersistentData\ClockSequence 
    SUCCESS 0xA2E   
    
    740     59.36783360     Userconf        SetValueEx
    HKLM\Software\Description\Microsoft\Rpc\UuidPersistentData\LastTimeAllocated
    SUCCESS 40 D3 9C 15 EB C
    
    These don't appear to be hostile behavior--these keys seem to be changed
    by other programs as well.
    
    It did access, but apparently did not attempt to write to, WIN.INI.
    
    It created a temporary binary file at C:\WINDOWS\TEMP\~DFE855.TMP (this
    was a Win98 machine), which we're still looking at to see what it's
    function is.  It is not a copy of the worm, as it is significantly
    smaller.  It contains the following text strings:
    
    R\0o\0o\0t\0 \0E\0n\0t\0r\0y
    rn1org
    
    It creates the following files:
    
    411	0.00014800	Userconf	Write	C:\COMMON.EXE	SUCCESS
    Offset: 0 Length: 10240	
    
    428	0.00018800	Userconf	Write	C:\REDE.EXE	SUCCESS
    Offset: 0 Length: 10240	
    
    445	0.00018960	Userconf	Write	C:\SI.EXE	SUCCESS
    Offset: 0 Length: 10240	
    
    462	0.00018480	Userconf	Write	C:\USERCONF.EXE	SUCCESS
    Offset: 0 Length: 10240	
    
    479	0.00018320	Userconf	Write	C:\DISK.EXE	SUCCESS
    Offset: 0 Length: 10240	
    
    The files other than DISK.EXE are already known to be possible names of
    email attachments.  All the files are identical copies of the worm.
    
    The worm then launches Outlook and attempts to send copies of itself out.
    
    I have forwarded copies of the worm to McAfee and CERT for further
    analysis.  So far, from our analysis, we have only found that the worm
    propagates itself.  Further analysis will be necessary to determine if
    there are any other effects.
    
       Markus De Shon, Ph.D., GCIA #0227  <mdeshonat_private>   
       Research Manager --  SecureWorks, Inc.  -- 404 327-6339x127
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 11:09:26 PDT