Worm.Win32.PEPEX.AB

This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Worm may arrive via network shares.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Worm drops and executes the following files:

• %Windows%\lsasvs.exe <- detected as BKDR_TORLOAD.A, installs and executes the Tor client (lsass.bin)

Autostart Technique

This Worm adds and runs the following services:

• ServiceName: shcservice
  DisplayName: Windows SHC Service.
  ImagePath: cmd.exe /c “net share C$=C:\”. <- This makes the C drive of the remote machine shared
• ServiceName: WUpdator
  DisplayName: Windows Updator
  ImagePath: %Windows%\svchost.exe -> This will execute its copy in the remote machine

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Propagation

This Worm uses the following file names for the copies it drops into shared networks:

• %Windows%\svchost.exe

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Dropping Routine

This Worm drops the following files:

• %Windows%\lsass.bin <- contains the Tor Client and its components

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Other Details

This Worm does the following:

• It scans the following to check for open port 445:
  • Randomly-generated IP address over the Internet or LAN
• If it finds a host either on the LAN/Internet with open port 445, it attempts to remotely create a service (via IPC$ share) and drop its copy in the remote machine by brute-forcing access in the file sharing
• Uses the following user name and passwords to gain access to password protected networks:
  • "administrator"
  • "administrador"
  • "admin"
  • "superadmin"
  • "db2admin"
  • "123456"
  • "password"
  • "12345678"
  • "qwerty"
  • "12345"
  • "123456789"
  • "football"
  • "1234"
  • "1234567"
  • "baseball"
  • "welcome"
  • "welkome"
  • "1234567890"
  • "abc123"
  • "111111"
  • "1qaz2wsx"
  • "dragon"
  • "master"
  • "monkey"
  • "letmein"
  • "login"
  • "princess"
  • "qwertyuiop"
  • "solo"
  • "passw0rd"
  • "p@ssw0rd"
  • "starwars"
  • "server"
  • "passwd"
  • "angel"
  • "admin"
  • "root"
  • "!@#$"
  • "BUMBLE"
  • "qwer"
  • "asdf"
  • "asdfg"
  • "54321"
  • "4321"
  • "!@#$%"
  • "!@#$%^"
  • "!@#$%^&"
  • "!@#$%^&*"
  • "!@#$%^&*("
  • "!@#$%^&*()"
  • "pussy"
  • "696969"
  • "mustang"
  • "michael"
  • "shadow"
  • "jennifer"
  • "2000"
  • "jordan"
  • "superman"
  • "harley"
  • "fuckme"
  • "hunter"
  • "fuckyou"
  • "trustno1"
  • "ranger"
  • "buster"
  • "thomas"
  • "tigger"
  • "robert"
  • "soccer"
  • "fuck"
  • "batman"
  • "test"
  • "pass"
  • "killer"
  • "hockey"
  • "george"
  • "charlie"
  • "andrew"
  • "michelle"
  • "love"
  • "sunshine"
  • "jessica"
  • "asshole"
  • "6969"
  • "pepper"
  • "daniel"
  • "access"
  • "654321"
  • "joshua"
  • "maggie"
  • "silver"
  • "william"
  • "dallas"
  • "yankees"
  • "123123"
  • "ashley"
  • "666666"
  • "hello"
  • "amanda"
  • "orange"
  • "biteme"
  • "freedom"
  • "computer"
  • "sexy"
  • "thunder"
  • "nicole"
  • "ginger"
  • "heather"
  • "hammer"
  • "summer"
  • "corvette"
  • "taylor"
  • "fucker"
  • "austin"
  • "1111"
  • "merlin"
  • "matthew"
  • "121212"
  • "golfer"
  • "cheese"
  • "martin"
  • "chelsea"
  • "patrick"
  • "richard"
  • "diamond"
  • "yellow"
  • "bigdog"
  • "secret"
  • "asdfgh"
  • "sparky"
  • "cowboy"