January 18, 2011

WORM_TDSS.TX

This is a very dangerous threat. It attacks the known vulnerability to drop the EXPL_CPLNK.SMA which drops the routines in to the affected system. It lowers the system security and allows access to malicious sites automatically.

Effects:

  • It basically exploits the Zeroday exploit 
  • It also lowers Internet Explorer(IE) security settings, allowing auto access to sites with malicious code to run.
  • To propagate, it drops copies of itself into network shares, thus, making itself available to other users
  • This worm may be unknowingly downloaded by a user while visiting malicious websites
  • It executes then deletes itself afterward
  • It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
  • It modifies the Internet Explorer Zone Settings.
It modifies the following registry entries:
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    CurrentLevel = 0 where default value is 69632. 
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1601 = 0 where default value being 1. 

It adds the following registry entries:
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international; acceptlanguage = "en-us"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
    svchost.exe = 8888
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings maxhttpredirects = 8888
  •  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings enablehttp1_1 = 1
Mode of Attack:
This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system
It drops itself on network drives with the names 
  • setup{random number}.dll
  • setup{random number}.dat 
  •   setup{random number}.lnk –  EXPL_CPLNK.SMA
This worm does the following:
  • Creates a copy of itself named C:\Documents and Settings\{user name}\Local Settings\Temp\{random file name}.TMP
  • Changes its file characteristics to .DLL

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More