Details:
Installation and Autostart Technique
Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder as the following file:
It may add the following registry entries to enable its dropped copy to run at every Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Frame Works = "frmwrks32.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Windows Frame Works = "frmwrks32.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Frame Works = "frmwrks32.exe"
This worm then launches itself into memory and create threads in order to perform its routines.
Network Propagation and Exploits
This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP systems, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.
Read more on this vulnerability from the following link:
This worm also exploits the IIS5/WEBDAV buffer overrun exploit affecting Windows NT platforms, which enables arbitrary codes to execute on the server.
The following link offers more information from Microsoft about this vulnerability:
When it finds a vulnerable target machine, the worm copies and executes itself on the system. It also attempts to propagate to the following folders in the network:
If the folders are not readily accessible, this worm attempts force its way into the system by logging on using a list of hardcoded user names and passwords.
Backdoor Capabilities
This worm has backdoor capabilities. It comes with a built-in Internet Relay Chat (IRC) client engine, which enables it to connect to an IRC channel, and wait for commands from a malicious user to process locally on the system.
This IRC client grants the malicious user remote access over the machine to carry out the following commands:
- Obtain system information, such as the following:
- CPU speed and memory
- Size of memory
- Windows platform, build version and product ID
- Malware uptime
- User name
- Change the IRC server and channel where it connects to
- Download files including malware updates from a Web site or FTP server
- Scan local network for vulnerable machines
- Scan local network for machines with weak NetBios password
- Redirect connections
- Emulate a Socks4 proxy
- Log off user
- Restart or shut down the machine
- List all running processes
- Terminate a specific process
- Add or remove autostart entries in the registry
- Add or remove services using Service Control Manager
- Remove network shares
- Erase DNS cache
Information Theft
This worm attempts to steal the Microsoft product ID and CD keys of the following game applications:
- Battlefield 1942
- Battlefield 1942 (Road To Rome)
- Battlefield 1942 (Secret Weapons of WWII)
- Battlefield Vietnam
- Black and White
- Chrome
- Command and Conquer: Generals
- Command and Conquer: Generals (Zero Hour)
- Command and Conquer: Red Alert
- Command and Conquer: Red Alert 2
- Command and Conquer: Tiberian Sun
- Counter-Strike (Retail)
- FIFA 2002
- FIFA 2003
- Freedom Force
- Global Operations
- Gunman Chronicles
- Half-Life
- Hidden & Dangerous 2
- IGI 2: Covert Strike
- Industry Giant 2
- James Bond 007: Nightfire
- Legends of Might and Magic
- Medal of Honor: Allied Assault
- Medal of Honor: Allied Assault: Breakthrough
- Medal of Honor: Allied Assault: Spearhead
- NHL 2002
- NHL 2003
- NOX
- Nascar Racing 2002
- Nascar Racing 2003
- Need For Speed Hot Pursuit 2
- Need For Speed: Underground
- Neverwinter Nights
- Neverwinter Nights (Hordes of the Underdark)
- Neverwinter Nights (Shadows of Undrentide)
- Rainbow Six III RavenShield
- Shogun: Total War: Warlord Edition
- Soldier of Fortune II - Double Helix
- Soldiers Of Anarchy
- The Gladiators
- Unreal Tournament 2003
- Unreal Tournament 2004
Denial of Service Attack
This worm also enables the malicious user to perform any of the following flood attacks against a target site:
- ICMP flood
- HTTP flood
- SYN flood
- UDP flood
Analysis by: Zarestel Ferrer