WORM_DLOADR.SMM

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system. It uses a list of passwords to gain access to password-protected shares.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats. As of this writing, the said sites are inaccessible.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %Windows%\system\winrsc.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It drops the following component file(s):

• %System%\drivers\sysdrv32.sys - detected by Trend Micro as RTKT_NEERIS.AH

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows System Monitor = "%Windows%\system\winrsc.exe"

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
WINSYSMON

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network\
WINSYSMON

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
WINSYSMON
(Default) = "Service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network\
WINSYSMON
(Default) = "Service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\system\winrsc.exe = "%Windows%\system\winrsc.exe:*:Microsoft Enabled"

Propagation

This worm drops copies of itself in the following shared folders:

• c$\windows\system32
• c$\winnt\system32
• d$\windows\system32
• d$\winnt\system32
• Admin$
• Admin$\system32

It drops the following copy(ies) of itself in all removable drives:

• win.com

It uses the following file names for the copies it drops into shared networks:

• eraseme_{random numbers}.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
shellexecute=win.com
action=Open folder to view files
shell\default=Open
shell\default\command=win.com
shell=default

It uses the following list of passwords to gain access to password-protected shares:

• !@#$
• !@#$%
• 1111
• 111111
• 1234
• 12345
• 123456
• 2000
• 2001
• 2002
• 2003
• 2004
• 2005
• 2006
• 2007
• 2009
• 654321
• 9999
• abc123
• admin
• admin123
• administrador
• administrat
• administrateur
• administrator
• admins
• anonymous
• apache
• asdf
• asdfgh
• backup
• changeme
• changeme2
• cisco
• compaq
• computer
• database
• debug
• default
• ftpd
• fuck
• gateway
• guest
• hello
• home
• httpd
• internet
• kids
• login
• love
• mail
• master
• monitor
• mssql
• mypass
• mypassword
• mysql
• netadmin
• netman
• network
• none
• operator
• oracle
• owner
• pass
• passwd
• password
• password123
• private
• public
• pwpwd
• qwerty
• recovery
• root
• school
• secret
• secrets
• security
• server
• serveradmin
• service
• staff
• storage
• student
• superuser
• support
• sysadm
• system
• teacher
• tech
• temp
• test
• user
• veritas
• webadmin
• windows
• windowsxp
• work
• wwwadmin

Download Routine

This worm connects to the following malicious URLs:

• http://www.{BLOCKED}btown.com/desktopz/bb.exe

As of this writing, the said sites are inaccessible.

NOTES:

Backdoor Routine

This worm opens the following ports:

• 555

It executes the following command(s) from a remote malicious user:

• download file
• execute file

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}pcord.com

Other Details

This worm does the following:

• This malware does not steal any information from the affected system.
• It uses a random nick name and user name in connecting to the server mail.vspcord.com. It then joins the channel #x#.
• It gets information about the configuration of the affected system. It then enumerates available IP addresses in the network. If found, it lists down the available user accounts and then forces its way to the network using a dictionary attack, which makes use of the above-mentioned passwords. The passwords are also used as user names in connecting to a target machine.
• Upon successful network propagation, it creates a service to execute the drop file on the target system. It then deletes the created service once it has already been executed. If it fails to create a service, it will then try to create a scheduled task in the %Windows%\Tasks folder using the NetScheduleJobAdd API function to execute its dropped copy.
• It takes advantage of the following vulnerability to propagate across networks:
• Service Service vulnerability (Microsoft Security Bulletin MS08-067)