Installation and Autostart Technique
This memory-resident worm arrives on a system as a .DLL file dropped or installed by other malware.
Upon execution, it drops any of the following copies of itself into the Windows system folder:
It sets the dropped file's attributes to Hidden and System to avoid easy detection.
It creates any of the following registry entries, corresponding to the dropped copy, to ensure its automatic execution at every Windows startup:
WinDLL (steam.dll) = "rundll32.exe %System%\steam.dll,start"
WinDLL (scvhost32.dll) = "rundll32.exe %System%\scvhost32.dll,start"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
This worm takes advantage of the Windows ASN.1 vulnerability to propagate across networks. For more information regarding the said vulnerability, refer to the following Microsoft Web page:
Using varying ports, this worm connects to the Internet Relay Chat (IRC) server, root.the-an.us or lsd2.danknugs.be, then joins a specific channel, where it listens for the following commands from a remote malicious user:
- Retrieve various network and system information
- Download files
- Perform denial of service (DoS) attacks using various flooding methods
- Perform port scanning
The said routine provides the remote malicious user virtual control over the affected system, thus compromising system security.
HOSTS File Modification
This worm also overwrites the system's HOSTS file, which contains host name to IP address mappings. It accesses the said HOSTS file in the following folder:
Note that systems running on Windows 98 and ME are unaffected by this routine since this worm only targets the HOSTS file in the %System%\drivers\etc folder.
The said routine is done so that the following Web sites, which are usually related to antivirus companies, can no longer be accessed by affected users:
This worm runs on Windows 98, ME, 2000, XP, and Server 2003.
Analysis By: Ricardo C. Robielos III
Updated By: Erwin Boy-Ang Balunsat
Feb 8, 2006 - Modified Virus Report