Details:
Arrival, Installation, and Autostart Techniques
Upon execution, this worm drops a copy of itself as FILESS.EXE into the Windows system folder with its attributes set to hidden, system, and read only. It also drops the file SHOX.TXT which is a log file of the worm's keylogging feature.
It creates the following registry entries to ensure its automatic execution at every Windows startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
NTFSS MICROSOFT SYSTEM = "filess.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
NTFSS MICROSOFT SYSTEM = "filess.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
NTFSS MICROSOFT SYSTEM = "filess.exe"
It also modifies the following registry entries by changing:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
OleEnableDCOM = "Y"
to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
OleEnableDCOM = "N"
And:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa
Restrictanonymous = dword:00000000
to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa
Restrictanonymous = dword:00000001
Network Propagation and Exploits
This worm propagates by dropping copies of itself into accessible network shares. It searches for the following network shares and attempts to drop copies of itself into these shares:
- C$WINDOWS\system32
- C$WINNT\system32
- ADMIN$\system32
- IPC$
It uses the following user names and passwords to gain access to the said shares:
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234567890
- access
- accounting
- accounts
- administrador
- administrat
- administrateur
- administrator
- admins
- backup
- bitch
- blank
- brian
- changeme
- chris
- cisco
- compaq
- computer
- control
- database
- databasepass
- databasepassword
- db1234
- dbpass
- dbpassword
- default
- domain
- domainpass
- domainpassword
- exchange
- george
- guest
- hello
- homeuser
- internet
- intranet
- katie
- linux
- login
- loginpass
- nokia
- oeminstall
- oemuser
- office
- oracle
- orainstall
- outlook
- owner
- pass1234
- passwd
- password
- password1
- peter
- qwerty
- server
- siemens
- sqlpassoainstall
- staff
- student
- susan
- system
- teacher
- technical
- win2000
- win2k
- win98
- windows
- winnt
- winpass
- winxp
- wwwadmin
This worm also propagates by taking advantage of the following Windows vulnerabilities:
- IIS/WebDAV vulnerability
- Remote Procedure Call (RPC)/ Distributed Component Object Model (DCOM) vulnerability
- Windows LSASS vulnerability
More information can be found on the following pages:
Backdoor Capabilities
This worm acts as an Internet Relay Chat (IRC) bot that connects to an IRC server. When it is connected, it listens for commands coming from a remote malicious user. It then executes these commands locally. This provides a remote user virtual control over the affected machine.
The bot allows a remote user to do the following:
- Download or transfer files via file transfer protocol (FTP)
- Gather email addresses and system information
- Log keystrokes made by a user
- Open or download Web pages
- Perform denial of service (DoS) attacks
- Remotely execute programs
- Sniff packets sent and received by infected users
- Terminate processes
Denial of Service
This worm performs the following denial of service (DoS) attacks:
- ICMP flood
- PING flood
- SYN flood
- UDP flood
Information Theft
This worm uses a network sniffer called Carnivore that checks for the following strings on the packets sent and received by the infected machine:
- : auth
- : login
- :!auth
- :!hashin
- :!login
- :!secure
- :!syn
- :$auth
- :$hashin
- :$login
- :$syn
- :%auth
- :%hashin
- :%login
- :%syn
- :&auth
- :&login
- :*auth
- :*login
- :,auth
- :,login
- :.auth
- :.hashin
- :.login
- :.secure
- :.syn
- :/auth
- :/login
- :?auth
- :?login
- :@auth
- :@login
- :\auth
- :\login
- :~auth
- :~login
- :%20auth
- :%20login
- :=auth
- :=login
- :'auth
- :-auth
- :'login
- :-login
- login
- login
- PASS
- paypal
- PAYPAL
- paypal.com
- USER
It also steals the Microsoft Windows product ID and CD keys of the following games:
- Battlefield 1942
- Battlefield 1942: Secret Weapons Of WWII
- Battlefield 1942: The Road To Rome
- Battlefield 1942: Vietnam
- Black and White
- Command and Conquer: Generals:
- Command and Conquer: Generals: Zero Hour
- Command and Conquer: Red Alert2
- Command and Conquer: Tiberian Sun
- Counter-Strike
- FIFA 2002
- FIFA 2003
- Freedom Force
- Global Operations
- Gunman Chronicles
- Half-Life
- Hidden and Dangerous 2
- IGI2: Covert Strike
- Industry Giant 2
- James Bond 007: Nightfire
- Medal of Honor: Allied Assault:
- Medal of Honor: Allied Assault: Breakthrough
- Medal of Honor: Allied Assault: Spearhead
- Nascar Racing 2002
- Nascar Racing 2003
- Need For Speed: Hot Pursuit 2
- Need For Speed: Underground
- Neverwinter Nights
- NHL 2002
- NHL 2003
- Ravenshield
- Shogun: Total War: Warlord Edition
- Soldier Of Fortune 2
- Soldiers Of Anarchy
- The Gladiators
- Unreal Tournament 2003
- Unreal Tournament 2004
Other Details
This worm arrives compressed using Morphine. It runs on Windows 95, 98, ME, NT, 2000, and XP.
Analysis By: Ace Portuguez