This is a very dangerous threat. It attacks the known vulnerability to drop the EXPL_CPLNK.SMA which drops the routines in to the affected system. It lowers the system security and allows access to malicious sites automatically.
Effects:
- It basically exploits the Zeroday exploit
- It also lowers Internet Explorer(IE) security settings, allowing auto access to sites with malicious code to run.
- To propagate, it drops copies of itself into network shares, thus, making itself available to other users
- This worm may be unknowingly downloaded by a user while visiting malicious websites
- It executes then deletes itself afterward
- It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
- It modifies the Internet Explorer Zone Settings.
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
CurrentLevel = 0 where default value is 69632. - HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1601 = 0 where default value being 1.
It adds the following registry entries:
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international; acceptlanguage = "en-us"
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
svchost.exe = 8888 - HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings maxhttpredirects = 8888
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings enablehttp1_1 = 1
This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system
It drops itself on network drives with the names
- setup{random number}.dll
- setup{random number}.dat
- setup{random number}.lnk – EXPL_CPLNK.SMA
- Creates a copy of itself named C:\Documents and Settings\{user name}\Local Settings\Temp\{random file name}.TMP
- Changes its file characteristics to .DLL
0 comments:
Post a Comment