WORM_DOWNAD.A


 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware, Propagates via software vulnerabilities


To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.

This worm may arrive bundled with malware packages as a malware component. It may be downloaded by other malware/grayware/spyware from remote sites. It may be dropped by other malware.

It exports functions used by other malware. It checks the operating system name of the affected computer.

  TECHNICAL DETAILS

Payload:

Connects to URLs/IPs, Downloads files

Arrival Details

This worm may arrive bundled with malware packages as a malware component.

It may be downloaded by other malware/grayware/spyware from remote sites.

It may be dropped by other malware.

Autostart Technique

This worm modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random service name}
Image Path = "%System Root%\system32\svchost.exe -k netsvcs"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random service name}\Parameters
ServiceDll = "{malware path and file name}"

Download Routine

This worm connects to the following website(s) to download and execute a malicious file:

  • http://{BLOCKED}converter.biz/4vir/antispyware/loadadv.exe

Other Details

This worm exports functions used by other malware.

It connects to the following URL(s) to get the affected system's IP address:

  • http://checkip.dyndns.org
  • http://getmyip.co.uk
  • http://www.getmyip.org

It checks the operating system name of the affected computer if it is any of the following:

  • Windows 2000
  • Windows XP
  • Windows Server 2003
  • Windows Server 2003 R2

NOTES:

This worm drops a copy of itself Windows system folder using a random file name with the .DLL extension. This technique prevents dropping of several copies of itself on already affected systems. It also locks its dropped copy to prevent users from reading, writing, and deleting it.

It sets the creation time of the file similar to that of the creation time indicated in the legitimate Windows file KERNEL32.DLL, which is also located in the Windows system folder. It does this prevent itself from getting noticed as a newly added file on the affected system. It also creates the mutex Global\{random}.

If the system has any of the aforementioned operating systems, this worm continues with its routines. If the affected system has a different operating system, this worm checks for SERVICES.EXE in the list of running processes. If it finds the said process, it loads itself into the said process.

It also adds an entry in the value data list of the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost

The added value data is the random service name this worm creates.

This worm propagates in two ways from which they are achieved by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode. More information on the said vulnerability can be found in the following link:

Once this specially crafted RPC request reaches its target vulnerable system, the shellcode is decrypted, and then retrieves certain APIs capable of downloading a copy of the worm from the affected system, which is already converted into an HTTP server. The affected system then opens a random TCP port, allowing the vulnerable machine to connect to itself using the following URL:

  • http://{IP address of the affected machine}:{random port}/{malware file name composed of random characters}

During this exploit, a high traffic on TCP port 445 is seen since this is the port that this worm uses.

When the copy of the worm is being downloaded from the affected system to the vulnerable system, the worm modifies its packet header to make itself appear as a harmless JPEG file, when in fact, it is actually an executable file.

It does this to avoid detection by the network firewall or system security applications. If an unpatched system continues to receive malicious packets, the said system may eventually crash.

The downloaded copy of the worm is saved as X in the Windows system folder.

This worm is also capable of propagating over the Internet by attempting to send the exploit code to a random Internet address. It first broadcasts the opened random port that serves as an HTTP server so that it is accessible over the internet.

It then gets the external IP address of the system to check if it has direct connection to the Internet. This worm does the routine to launch the expoit code over the Internet if the affected system has a direct connection to the Internet by checking the external IP address and the configured IP address in the ethernet or modem driver.

After getting the IP address of the system, this worm checks if the said IP address is valid and is not a local IP address.

It also checks if the external IP address is the same with the configured IP address on the system.

Note that this worm makes the random port it uses available online by broadcasting the port over the Internet via an Simple Service Discovery Protocol (SSDP) request.

It also attempts to connect to http://www.{BLOCKED}d.com/download/geoip/database/GeoIP.dat.gz to download a file that indicates the location of the affected system. As of this writing, however, the said URL is inaccessible.

This worm also connects to created URLs where it can download and execute a file that is saved in the Windows system folder. It creates URLs by retrieving dates from the following websites:

  • ask.com
  • baidu.com
  • google.com
  • msn.com
  • www.w3.org
  • yahoo.com

Based on the dates, it then computes for strings to generate URLs. After computing, it then appends of any of the following strings to the computed URLs:

  • .biz
  • .info
  • .org
  • .net
  • .com

For example, if the computed sting is abcdef, the worm then appends either .biz, ,info, .org, .net, or .com to the string so the resulting URL may either be abcdef.biz, abcdef.info. abcdef.org, abcdef.net, or abcdef.com.

Note that this worm can only perform its payload if either of the following criteria has been met:

  • System year is after 2008 of any month and any day
  • System year is 2008 and before of any month and the day is not the second day of the month.

For example, this worm does not download a copy of itself if the system date is set to November 2, 2008; December 2, 2008; or March 2, 2007.

  SOLUTION

Minimum Scan Engine:

9.200

Step 1

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, use Trend Micro's special fixtool. Download, extract, and run the said fixtool in the same folder where your latest Trend Micro pattern file is located. For more details, refer to the fixtool's incorporated text file.

MANUAL REMOVAL INSTRUCTIONS

Step 2

Scan your computer with your Trend Micro product to delete files detected as WORM_DOWNAD.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.