Worm.Win32.DOWNAD.PIDB

This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It takes advantage of certain vulnerabilities.

Arrival Details

This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Worm drops the following files:

• {Drive}\autorun.inf

It drops the following copies of itself into the affected system:

• {Drive}\RECYCLER\{Generated string}\{Random characters}.{Random extension}
• \\{Server host name}\ADMIN$\System32\{Random characters}.{Random extension}
• %Application Data%\{Random characters}.dll
• %Program Files%\Internet Explorer\{Random characters}.dll
• %Program Files%\Movie Maker\{Random characters}.dll
• %System%\{Random characters}.dll
• %System%\{Random characters}.tmp
• %Temp%\{Random characters}.dll
• %Temp%\{Random characters}.tmp

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.)

It adds the following processes:

• netsh interface tcp set global autotuning=disabled (Disables TCP/IP auto-tuning if the sample is running on Windows Vista)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {Random characters}
• Global\{Random characters based on computer name}-7

It injects codes into the following process(es):

• svchost.exe
• explorer.exe
• services.exe (If the sample is running on Windows 2000)

Autostart Technique

This Worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\{Control set}\
services\{Random characters}
DisplayName = {Random string}

HKEY_LOCAL_MACHINE\SYSTEM\{Control set}\
services\{Random characters}
Start = 2

HKEY_LOCAL_MACHINE\SYSTEM\{Control set}\
services\{Random characters}
ImagePath = %SystemRoot%\system32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\{Control set}\
services\{Random characters}\Parameters
ServiceDll = %System%\{Random characters}.dll

HKEY_CURRENT_USERSoftware\Microsoft\Windows\
CurrentVersion\Run
{Random characters} = rundll32.exe {Malware file name and path}, {Parameter}

Other System Modifications

This Worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Applets
dl = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Applets
ds = 0

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Applets
dl = 0

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Applets
ds = 0

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = 0

Other Details

This Worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\{Control set}\
services\{Random characters}

It connects to the following URL(s) to get the affected system's IP address:

• http://www.getmyip.org
• http://www.whatsmyipaddress.com
• http://www.whatismyip.org
• http://checkip.dyndns.org

It connects to the following time servers to determine the current date:

• ask.com
• yahoo.com
• google.com
• baidu.com
• myspace.com
• msn.com
• ebay.com
• cnn.com
• aol.com

It takes advantage of the following vulnerabilities:

• Microsoft Security Bulletin MS08-067

NOTES:

It does the following:

• It patches %System%\drivers\tcpip.sys after loading it in the memory to spread more rapidly across a network.
• It generates a set of domains based on the returned system time. If a domain is active among the generated domains, it formats its response to http://{Address}/search?q={Number} to download files.
• It creates an HTTP server with the format http://{IP address}:{Random port} to propagate over the Internet.
• It deletes all system restore points to disable user from reverting back to a previous system restore point.
• It hooks the following API to avoid the exploitation of the used vulnerability:
  • NetpwPathCanonicalize
• It hooks the following API to block user access to certain sites:
  • DNS_Query_A
  • DNS_Query_UTF8
  • DNS_Query_W
  • Query_Main
  • sendto
• It modifies the following registry entries to execute its copy:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
  • netsvcs={Old data}, {Appended created malicious service registry entry}
• It adds the following registry entries to spread more rapidly across a network:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  • TcpNumConnections=0x00fffffe
• It creates a scheduled task with the following command on a remote server with brute-forced credentials to execute its copy:
  • rundll32.exe {Random characters}.{Random extension}, {Parameter}
• It creates the following named pipe to allow external hosts or local processes to connect and upload a binary:
  • \\.\pipe\System_{Computer name}7
• It blocks infected systems from visiting certain sites containing the following strings:
  • ccert
  • sans
  • bit9
  • vet
  • avg
  • avp
  • ca
  • nai
  • windowsupdate
  • wilderssecurity
  • threatexpert
  • castlecops
  • spamhaus
  • cpsecure
  • arcabit
  • emsisoft
  • sunbelt
  • securecomputing
  • rising
  • prevx
  • pctools
  • norman
  • k7computing
  • ikarus
  • hauri
  • hacksoft
  • gdata
  • fortinet
  • ewido
  • clamav
  • comodo
  • quickheal
  • avira
  • avast
  • esafe
  • ahnlab
  • centralcommand
  • drweb
  • grisoft
  • eset
  • nod32
  • f-prot
  • jotti
  • kaspersky
  • f-secure
  • computerassociates
  • networkassociates
  • etrust
  • panda
  • sophos
  • trendmicro
  • mcafee
  • norton
  • symantec
  • microsoft
  • defender
  • rootkit
  • malware
  • spyware
  • virus
  It uses the following strings to generate service registry entry name:
  • Boot
  • Center
  • Config
  • Driver
  • Helper
  • Image
  • Installer
  • Manager
  • Microsoft
  • Monitor
  • Network
  • Security
  • Server
  • Shell
  • Support
  • System
  • Task
  • Time
  • Universal
  • Update
  • Windows
• It uses the following credentials to brute-force vulnerable systems:
  • 99999999
  • 9999999
  • 999999
  • 99999
  • 9999
  • 999
  • 99
  • 9
  • 88888888
  • 8888888
  • 888888
  • 88888
  • 8888
  • 888
  • 88
  • 8
  • 77777777
  • 7777777
  • 777777
  • 77777
  • 7777
  • 777
  • 77
  • 7
  • 66666666
  • 6666666
  • 666666
  • 66666
  • 6666
  • 666
  • 66
  • 6
  • 55555555
  • 5555555
  • 555555
  • 55555
  • 5555
  • 555
  • 55
  • 5
  • 44444444
  • 4444444
  • 444444
  • 44444
  • 4444
  • 444
  • 44
  • 4
  • 33333333
  • 3333333
  • 333333
  • 33333
  • 3333
  • 333
  • 33
  • 3
  • 22222222
  • 2222222
  • 222222
  • 22222
  • 2222
  • 222
  • 22
  • 2
  • 11111111
  • 1111111
  • 111111
  • 11111
  • 1111
  • 111
  • 11
  • 1
  • 00000000
  • 0000000
  • 00000
  • 0000
  • 000
  • 00
  • 0987654321
  • 987654321
  • 87654321
  • 7654321
  • 654321
  • 54321
  • 4321
  • 321
  • 21
  • 12
  • fuck
  • zzzzz
  • zzzz
  • zzz
  • xxxxx
  • xxxx
  • xxx
  • qqqqq
  • qqqq
  • qqq
  • aaaaa
  • aaaa
  • aaa
  • sql
  • file
  • web
  • foo
  • job
  • home
  • work
  • intranet
  • controller
  • killer
  • games
  • private
  • market
  • coffee
  • cookie
  • forever
  • freedom
  • student
  • account
  • academia
  • files
  • windows
  • monitor
  • unknown
  • anything
  • letitbe
  • letmein
  • domain
  • access
  • money
  • campus
  • explorer
  • exchange
  • customer
  • cluster
  • nobody
  • codeword
  • codename
  • changeme
  • desktop
  • security
  • secure
  • public
  • system
  • shadow
  • office
  • supervisor
  • superuser
  • share
  • super
  • secret
  • server
  • computer
  • owner
  • backup
  • database
  • lotus
  • oracle
  • business
  • manager
  • temporary
  • ihavenopass
  • nothing
  • nopassword
  • nopass
  • Internet
  • internet
  • example
  • sample
  • love123
  • boss123
  • work123
  • home123
  • mypc123
  • temp123
  • test123
  • qwe123
  • abc123
  • pw123
  • root123
  • pass123
  • pass12
  • pass1
  • admin123
  • admin12
  • admin1
  • password123
  • password12
  • password1
  • default
  • foobar
  • foofoo
  • temptemp
  • temp
  • testtest
  • test
  • rootroot
  • root
  • adminadmin
  • mypassword
  • mypass
  • pass
  • Login
  • login
  • Password
  • password
  • passwd
  • zxcvbn
  • zxcvb
  • zxccxz
  • zxcxz
  • qazwsxedc
  • qazwsx
  • q1w2e3
  • qweasdzxc
  • asdfgh
  • asdzxc
  • asddsa
  • asdsa
  • qweasd
  • qwerty
  • qweewq
  • qwewq
  • nimda
  • administrator
  • Admin
  • admin
  • a1b2c3
  • 1q2w3e
  • 1234qwer
  • 1234abcd
  • 123asd
  • 123qwe
  • 123abc
  • 123321
  • 12321
  • 123123
  • 1234567890
  • 123456789
  • 12345678
  • 1234567
  • 123456
  • 12345
  • 1234
  • 123