Details:
Arrival and Installation
This memory-resident worm may arrive from network shares. Upon execution, it drops a copy of itself in the Windows system folder as VGACARD6.EXE.
It creates the following registry entries to ensure its automatic execution at every Windows startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
VGA6 Startup = "vgacard6.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
VGA6 Startup = "vgacard6.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
VGA6 Startup = "vgacard6.exe"
It also modifies the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
EnableDCOM = "N"
(Note: The default value of this registry entry is "Y".)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa
restrictanonymous = "dword:00000001"
(Note: The default value of this registry entry is "dword:00000000".)
Network Propagation and Exploits
This worm propagates via network shares. It uses NetBEUI functions to get available lists of user names and passwords from an affected sytem. It then lists down available network shares and uses the gathered user names and passwords to access and drop copies of itself into the network shares.
It also generates IP addresses and attempts to drop copies of itself into the following default shares of target addresses:
- ADMIN$\system32
- C$\Windows\system32
- C$\WINNT\system32
- IPC$
It likewise uses the gathered user names and passwords to access these shares. It also uses the following list of strings as user names and passwords apart from those that it gathers:
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234567890
- access
- accounting
- accounts
- admin
- administrador
- administrat
- administrateur
- administrator
- admins
- backup
- bitch
- blank
- brian
- changeme
- chris
- cisco
- compaq
- computer
- control
- database
- databasepass
- databasepassword
- db1234
- dbpass
- dbpassword
- default
- domain
- domainpass
- domainpassword
- exchange
- george
- guest
- hello
- homeuser
- internet
- intranet
- katie
- linux
- login
- loginpass
- nokia
- oeminstall
- oemuser
- office
- oracle
- orainstall
- outlook
- owner
- pass1234
- passwd
- password
- password1
- peter
- qwerty
- server
- siemens
- sqlpassoainstall
- staff
- staff
- student
- susan
- system
- teacher
- technical
- win2000
- win2k
- win98
- windows
- winnt
- winpass
- winxp
- wwwadmin
It remotely executes every successfully dropped copy of itself as a service.
This worm also exploits the following Windows vulnerabilities to propagate across networks:
- IIS5/WebDAV vulnerability
- Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
- LSASS vulnerability
More information on these vulnerabilities can be found on the following Web pages:
Backdoor Capabilities
This worm has backdoor capabilities. It connects to a remote IRC server and joins a specific IRC channel, where it listens for commands coming from a remote malicious user, such as the following:
- Change IRC server and channel it connects to
- Download and execute files
- Flush DNS cache
- Add or remove default network shares
- Enable DCOM protocol
- Get system information, such as CPU speed, free memory, uptime, and free disk space
- Add or remove services
- Add, remove, or view registry entries
- Delete files
- Emulate an FTP server
- List and terminate services and processes
- Scan local area network for listening ports
- Emulate a proxy server
- Redirect connections
- Log keystrokes
It executes these commands locally on an affected system, providing the remote user virtual control over the system.
Denial of Service Attack
This worm allows remote malicious users to launch the following forms of denial of service attack:
- HTTP flood
- Ping flood
- SYN flood
- UPD flood
Other Details
This worm runs on Windows 2000 and XP.
Analysis By: Raymond Richard Bautista Gamboa
Revision History: