Details:
Installation and Autostart
Upon execution, this worm drops a copy of itself as a read-only and hidden system file, XDCC.EXE, in the Windows system folder. It then executes the said file and deletes itself.
It then creates the following autostart entries to ensure its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Start Upping = "xdcc.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Start Upping = "xdcc.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Start Upping = "xdcc.exe"
Network Propagation
This worm spreads by dropping a copy of itself in available network shares. If the said shares are inaccessible, it either uses cached or hardcoded list, such as the following, of user names and passwords as its login credential to gain access:
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234567890
- access
- accounting
- accounts
- administrador
- administrat
- administrateur
- administrator
- admins
- backup
- bitch
- blank
- brian
- changeme
- chris
- cisco
- compaq
- computer
- control
- database
- databasepass
- databasepassword
- db1234
- dbpass
- dbpassword
- default
- domain
- domainpass
- domainpassword
- exchange
- george
- guest
- hello
- homeuser
- internet
- intranet
- katie
- linux
- login
- loginpass
- nokia
- oeminstall
- oemuser
- office
- oracle
- orainstall
- outlook
- owner
- pass1234
- passwd
- password
- password1
- peter
- qwerty
- server
- siemens
- sqlpassoainstall
- staff
- student
- susan
- system
- teacher
- technical
- win2000
- win2k
- win98
- windows
- winnt
- winpass
- winxp
- wwwadmin
Exploits
This worm may also propagate by taking advantage of systems vulnerable to the following Windows exploits:
- Buffer Overflow in SQL Server 2000, which is a vulnerability that allows a low-level user to run, delete, insert or update Web tasks. In turn, an attacker who is able to authenticate to a SQL server may do the same actions, and run already created Web tasks in the context of the creator of that task. More information on this vulnerability is found in Microsoft Security Bulletin MS02-061.
- The RPC/DCOM vulnerability, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026.
- The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Bulletin MS04-011 and Trend Micro's Vulnerability Description for MS04-011.
Backdoor Capabilities
This worm comes with a built-in IRC client, which allows it to connect to an IRC channel. It opens a random port and enables a remote malicious user to perform commands, such as the following, locally on affected machines:
- Add, continue, delete, list, pause, start, and stop services
- Add, delete, and list network shares
- Check the presence of certain .DLL files
- Delete, download, execute, list, open, rename, and upload files
- Download files
- Enumerate user accounts
- Flush ARP and DNS cache
- List and terminate processes and threads
- Log keystrokes
- Perform basic IRC commands
- Perform denial of service (DoS) attacks through ICMP, PING, and SYN flooding
- Obtain cached passwords
- Obtain clipboard data
- Obtain pertinent system information
- Open a command shell
- Restart the system
- Remove and update itself
- Resolve hostnames
- Restrict and allow access to the shared folder, IPC$
- Scan ports
- Send email messages
- Send UDP packets and pings to a remote computer
- Sniff packets
Information Theft
This worm steals CD keys of the following games:
- Battlefield 1942
- Battlefield 1942 (Road To Rome)
- Battlefield 1942 (Secret Weapons of WWII)
- Battlefield Vietnam
- Black and White
- Call of Duty
- Chrome
- Command and Conquer: Generals
- Command and Conquer: Generals (Zero Hour)
- Command and Conquer: Red Alert
- Command and Conquer: Red Alert 2
- Command and Conquer: Tiberian Sun
- Counter-Strike (Retail)
- FIFA 2002
- FIFA 2003
- FarCry
- Freedom Force
- Global Operations
- Ground Control II
- Gunman Chronicles
- Half-Life
- Hidden & Dangerous 2
- IGI 2: Covert Strike
- Industry Giant 2
- James Bond 007: Nightfire
- Joint Operations
- Legends of Might and Magic
- Medal of Honor: Allied Assault
- Medal of Honor: Allied Assault (Breakthrough)
- Medal of Honor: Allied Assault (Spearhead)
- NHL 2002
- NHL 2003
- Nascar Racing 2002
- Nascar Racing 2003
- Need For Speed Hot Pursuit 2
- Need For Speed: Underground
- Neverwinter Nights
- Neverwinter Nights (Hordes of the Underdark)
- Neverwinter Nights (Shadows of Undrentide)
- Rainbow Six III RavenShield
- Shogun: Total War (Warlord Edition)
- Soldier of Fortune II - Double Helix
- Soldiers Of Anarchy
- The Gladiators
- Unreal Tournament 2003
- Unreal Tournament 2004
Other Details
This worm is compiled in Visual C%20%20. It runs on Windows NT, 2000, and XP.
Analysis By: Michael Stephen Tonido
Revision History: