January 6, 2011

WORM_DOWNAD.AD

This is yet another worm that affects removable drives by dropping copies of itself in its way of propagation. It affects the computers by locating the vulnerabilities and propagates through networks and further making it available for users on network. The main job of it is to hide file processes and registry entries on the computer that it affects.



Effects:


  • It generates a set of URLs containing 250 random sites per day based on the UTC time standard.
  • It blocks access to websites that contain certain strings, which are mostly related to antivirus programs
  • It adds registry entries to enable auto execution at the start up and modifies certain registry entries to disable system services. 
  • It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system. 
  • Patches the file TCPIP.SYS in memory in order to modify the limit of maximum TCP half-connection attempts in systems running Windows XP Service Pack 2. It does this by loading TCPIP.SYS in a certain memory location. It then drops the file %System%\0{random number}.tmp which is responsible for creating a device object named TcpIp_Perf and linking it to the loaded TCPIP.SYS in memory. It will then send the control code (patch code) to the linked device object.
  • It blocks access to certain sites
Detection: 

 It is found with the file name with random numbers and with extension .dll and .tmp  found in system folder.
In program files it effects Internet Explorer and Movie maker .
It also drops files in its common home Application data and Temp folder.
It adds the following registry entries to make its auto execution enabled

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random characters}
    ImagePath = %SystemRoot%\system32\svchost.exe -k
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random characters}\Parameters
    ServiceDll = %System%\{its file name}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows NT\CurrentVersion\SvcHost\{random characters}
     
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ filename= rundll32.exe.  to enable auto execution process.
  • Drops its file in system32 folder using a randomly named file using the credentials of the compromised user once it gains access.After successfully doing it, a scheduled task will be created in the %Windows%\Tasks folder using the NetScheduleJobAdd API to be able to execute its dropped copy. The scheduled time of execution on the created job file is retrieved from GetLocalTime API.
The registry entries that are modified during execution are

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    TcpNumConnections = 00FFFFFE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS Start = 4 (default=2)
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauservStart = 4 (default=2)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValue = 0 (default=1)

1 comments:

Your style is really unique in comparison to other
folks I've read stuff from. Many thanks for posting when you have the opportunity, Guess I will just bookmark this site.


Feel free to surf to my site :: Best Miami Florida Re Roof

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

There was an error in this gadget
Twitter Delicious Facebook Digg Stumbleupon Favorites More