Threat Encyclopedia

WORM_DOWNAD.E

Malware type: Worm

Aliases: W32/Confick-D(Sophos)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

Trend Micro has flagged this worm as noteworthy due to the increased potential for damage, propagation, or both, that it possesses. Specifically, its ability to propagate via the Server service vulnerability.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_DOWNAD.E Behavior Diagram

Malware Overview

This worm may be downloaded unknowingly by a user when visiting malicious Web sites. It may also be dropped by other malware.

This worm creates registry entries, and executes only after meeting certain trigger conditions.

This worm propagates by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode. More information on the said vulnerability can be found in the following link:

This worm also attempts to propagate through the internet via the same vulnerability using external IP addresses.

It creates a temporary .SYS file which is detected by Trend Micro as TROJ_DOWNAD.E. It then creates a service using the said .SYS file, thus the malicious routines of this malware are also exhibited in the system. After creating the service, the temporary file is deleted.

It modifies the limitation of TCP maximum half-connection attempts number. After doing this, the created driver service is unloaded and deleted, leaving no trace in the registry.

It creates a thread that opens a random port to communicate with a remote computer.

For additional information about this threat, see:

Description created: Apr. 8, 2009 6:23:45 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 119,296 Bytes

Initial samples received on: Apr 8, 2009

Related toTROJ_DOWNDAC.A, TROJ_DOWNAD.E

Details:

Arrival

This worm may be downloaded unknowingly by a user when visiting malicious Web sites. It may also be dropped by TROJ_DOWNDAC.A.

Installation

This worm's executable (.EXE) file turns the affected machine into an HTTP server. It then searches for vulnerable machines to exploit.

It creates the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Applets
ds = "{binary values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Applets
ds = "{binary values}"

The said binary values are decrypted by this worm. The decrypted file is a .DLL file that is also detected as WORM_DOWNAD.E. This .DLL file is sent to target vulnerable machines via HTTP traffic.

It may drop copies of itself in the following folders:

  • %Program Files%\Internet Explorer
  • %Program Files%\Movie Maker
  • %Program Files%\Windows Media Player
  • %Program Files%\Windows NT

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

It injects threads into the following normal process:

  • services.exe

Autostart Techniques

This worm registers itself as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{Service Name}
Image Path = "%Windows%\System32\svchost.exe -k netsvcs""

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{Service Name}\
Parameters
ServiceDll = "{Malware path and file name}"

It also inserts the same service name as a data value in the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\SvcHost
netsvcs = {Service name}

{Service name} is formed by combining one of the following strings:

  • App
  • Audio
  • DM
  • ER
  • Event
  • Ias
  • Ir
  • Lanman
  • Net
  • Ntms
  • Ras
  • Remote
  • SR
  • Sec
  • Tapi
  • Trk
  • W32
  • Wmdm
  • Wmi
  • help
  • win
  • wsc
  • wuau
  • xml

To any of the following strings:

  • access
  • agent
  • auto
  • logon
  • man
  • mgmt
  • mon
  • prov
  • serv
  • Server
  • Service
  • Srv
  • srv
  • svc
  • Svc
  • System
  • Time

Other System Modifications

This worm disables the following services:

  • BITS
  • ERSvc
  • WerSvc
  • WinDefend
  • wscsvc
  • wuauserv

It does this by modifying the following registry entries, where {service to be disabled} are any of the said services:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service to be disabled}
Start = "4"

(Note: The default value data for the said registry entry is 2.)

It also deletes the following registry entry to prevent the automatic execution of Windows Defender:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Windows Defender = {any data}

It deletes the following registry key to prevent system startup in safe mode:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

It also deletes the following registry key to deactivate Windows Security Center notifications:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
explorer\ShellServiceObjects
{FD6905CE-952F-41F1-9A6F-135D9C6622CC}

It also hooks the following APIs:

  • DnsQuery_A
  • DnsQuery_UTF8
  • Query_Main

The said routine allows the worm to block access to Web sites containing the following strings, which are mostly related to antivirus programs:

  • activescan
  • adware
  • agnitum
  • ahnlab
  • anti-
  • antivir
  • arcabit
  • av-sc
  • avast
  • avg.
  • avgate
  • avira
  • avp.
  • bdtools
  • bit9.
  • bothunter
  • ca.
  • castlecops
  • ccollomb
  • centralcommand
  • cert.
  • clamav
  • comodo
  • computerassociates
  • coresecur
  • cpsecure
  • cyber-ta
  • defender
  • doxpara
  • drweb
  • dslreports
  • emsisoft
  • enigma
  • esafe
  • eset
  • etrust
  • ewido
  • f-prot
  • f-secure
  • fortinet
  • free-av
  • freeav
  • fsecure
  • gdata
  • gmer.
  • grisoft
  • hackerwatch
  • hacksoft
  • hauri
  • honey
  • ikarus
  • insecure.
  • iv.cs.uni
  • jotti
  • k7computing
  • kaspersky
  • kav.
  • llnw.
  • llnwd.
  • malware
  • mcafee
  • microsoft
  • mirage
  • mitre.
  • ms-mvp
  • msdn.
  • msft.
  • msftncsi
  • msmvps
  • mtc.sri
  • nai.
  • ncircle
  • networkassociates
  • nmap.
  • nod32
  • norman
  • norton
  • onecare
  • panda
  • pctools
  • precisesecurity
  • prevx
  • ptsecurity
  • qualys
  • quickheal
  • removal
  • rising
  • rootkit
  • safety.live
  • sans.
  • secunia
  • securecomputing
  • secureworks
  • snort
  • sophos
  • spamhaus
  • spyware
  • staysafe
  • sunbelt
  • symantec
  • technet
  • tenablese
  • threat
  • threatexpert
  • trendmicro
  • trojan
  • vet.
  • virscan
  • virus
  • wilderssecurity
  • windowsupdate

This worm executes only after meeting the following trigger condition:

  • Any day before May 3, 2009

Propagation Routine

This worm propagates by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode. More information on the said vulnerability can be found in the following link:

Once this specially-crafted RPC request reaches its target vulnerable system, the shellcode is decrypted, and then retrieves certain APIs capable of downloading a copy of the worm from the affected system. The affected system then opens a random port that serves as an HTTP server to download a copy of the malware. This will then make the opened port to be available online by broadcasting the port over the Internet via a Simple Service Discovery Protocol (SSDP) request.

However, during analysis, the exploitation is not successful because the payload is missing in the packet.

This worm also attempts to propagate via the same vulnerability through the internet using external IP addresses by checking if the system is directly connected to the internet. It connects any of the following URLs to know the IP address of the affected computer:

  • http://www.whatismyipaddress.com
  • http://www.ipdragon.com
  • http://www.findmyip.com
  • http://www.ipaddressworld.com
  • http://www.myipaddress.com
  • http://checkip.dyndns.com
  • http://checkip.dyndns.org

It also connects to the following URLs:

  • http://www.myspace.com
  • http://www.msn.com
  • http://www.ebay.com
  • http://www.cnn.com
  • http://www.aol.com

Other Details

This worm patches the file TCPIP.SYS in memory in order to modify the limit of maximum TCP half-connection attempts in systems running Windows XP Service Pack 2. It does this by loading TCPIP.SYS in a certain memory location. It then drops the file %System%\0{random number}.tmp which is detected as TROJ_DOWNAD.E. It is responsible for creating a device object named TcpIp_Perf and linking it to the loaded TCPIP.SYS in memory. It will then send the control code (patch code) to the linked device object.

It creates a thread that opens a random port to communicate with a remote computer. This worm also creates the following mutex to ensure that only one instance of itself is running in memory:

  • Global\{Random}

Affected Platforms

This worm runs on Windows 98, ME, NT, 2000, XP and Server 2003.

Analysis By: Erika Mendoza

Revision History:

First pattern file version: 5.960.17
First pattern file release date: Apr 10, 2009
 
Apr 13, 2009 - Modified Malware Report

SOLUTION


Minimum scan engine version needed: 8.911

Pattern file needed: 7.635.00

Pattern release date: Nov 19, 2010


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Note: To fully remove all associated malware, perform the clean solution for TROJ_DOWNDAC.A, TROJ_DROPAD.F, and TROJ_DOWNAD.E.

AUTOMATIC REMOVAL INSTRUCTIONS

Users of Trend Micro PC-cillin Internet Security and Network VirusWall can detect this exploit at the network layer with Network Virus Pattern (NVP) 10273, or later.

Download the latest NVW pattern file from the following site:

Running Trend Micro Fixtool

Users may also opt to remove the malware from the system using this special Trend Micro fixtool. Download, extract, and run the said fixtool in the same folder where your latest Trend Micro pattern file is located. Users without Trend Micro products may also use this fixtool by following the detailed instructions inside the readme.txt file.

Applying Patch

This malware exploits a known vulnerability. Download and install the fix patch supplied by the vendor. Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on