Installation and Autostart Technique
Upon execution, this worm drops a copy of itself as VIDEOL32.EXE in the Windows system folder.
It then adds the following registry entries, which enable this malware to run automatically at every system startup:
Videool32 = "VIDEOL32.EXE "
Videool32 = "VIDEOL32.EXE "
Network Propagation and Exploits
This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP systems, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.
Read more on this vulnerability from the following link:
This worm looks for vulnerable Windows XP machines on the network by scanning for random TCP/IP addresses on port 135.
It further uses the RPC Locator vulnerability which affects Windows NT systems and searches for vulnerable Windows NT machines on the network by incrementally scanning TCP/IP addresses on port 445.
More information on this vulnerability is available from the following Microsoft page:
This worm also exploits the IIS5/WEBDAV buffer overrun exploit affecting Windows NT platforms, which enables arbitrary codes to execute on the server.
The following link offers more information from Microsoft about this vulnerability:
When it finds a vulnerable target machine, the worm copies and executes itself on the system.
It also searches for the following network shares:
If these folders have full access rights, it attempts to copy itself to these network shares. However, if these shared folders have restricted access rights, the worm attempts force its way into the system by logging in using the following user names and passwords:
This worm steals the Windows Product ID, and also the CD keys of the following games:
- BF1942 RtR
- BF1942 SWoWWII
- Command & Conquer Generals
- FIFA 2002
- FIFA 2003
- Half-Life CDKey
- Nascar 2002
- Nascar 2003
- NHL 2002
- NHL 2003
- Project IGI 2
- Red Alert
- Red Alert 2
- The Gladiators
- Tiberian Sun
This worm terminates the following antivirus and firewall processes:
It has a built-in IRC (Internet Chat Relay) client engine which enables it to connect to an IRC channel and await commands from a remote user. These commands include:
- Remove network shares
- Flush DNS cache
- Download files, including malware updates from a Web site or FTP server
- Scan local network for vulnerable machines
- Scan local network for machines with weak netbios password
- Obtain system information, such as:
- Total Windows running time
- Windows version
- Current user
- CPU speed
- Total free and allocated memory
- Emulate a Socks4 proxy
- Log off the user
- Restart or shut down the machine
- List all running processes
- Terminate a specific process
- Add or remove autostart entries in the registry
- Add or remove services using Service Control Manager
- Send customized email messages using predefined SMTP servers
- Change the IRC server and channel where it connects to
This worm also enables malicious users to launch the following types of flood atttacks against a target site:
- Ping flood
- SYN flood
- UDP flood
- ICMP flood
This worm also terminates the following processes:
Analysis by: Erwin Varona