The Chainsaw Worm

A new worm (a virus-like malicious program that uses the network to spread itself) has been spreading rapidly among LBNL 95 and 98 Windows systems. It copies itself (as WINMINE.EXE) to the Windows system directory primarily by connecting to unprotected shares, shares that allow everyone to connect to a system without any restrictions. In the root directory of the current drive it installs itself as CHAINSAW.EXE name. This worm then makes a change in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key in the Registry to automatically start itself every time the infected system is booted.

Once an infected system is rebooted, the worm takes measures to hide itself, then finds other unprotected shares within the network to do the same thing to other systems. Additionally, it sends a message to the "alt.horror" conference with "CHAINSAWED" as the subject. It also may attempt to cause a denial of service as well as to overwrite part of the contents of the victim system's hard drive.

The best protection against this nasty worm is to delete unprotected shares altogether. Many LBNL Windows 95 and 98 users have unprotected shares even though they do not really need to share their computer's drives with anyone else. From a security viewpoint this means that there is more likelihood that your system can be easily attacked by hackers, worms, and other sources.

Top

The Crowt.A Worm

A new mass-mailing worm, Crowt.A, emails itself as a bogus CNN newsletter: subject lines, message content, and attachment names are based on real-time CNN headlines. Opening Crowt.A's attachment not only infects Windows users' systems but also makes them vulnerable to identity theft, as Crowt.A also installs a keystroke logger to capture all keystokes entered on infected systems. Windows users, update your system's anti-virus software every day and avoid opening any attachment that you are not expecting.

For more information about Crowt.A and how to recover from an infection, go here.

Top

The Deadhat Worm

The Deadhat worm (W32.HLLW.Deadhat or Vesser) targets Windows systems that are or have been infected with the Norvarg (MyDoom) worm version A or B. It scans remote systems to determine whether TCP port 1080, 3127, and/or 3128 is open. If any of these ports is open because of a backdoor program installed by the Norvarg worm, the Deadhat worm copies itself to %systemroot%\sms.exe, thereby infecting the system. Once Deadhat starts running, it may pop up a message reading “Error executing program!” or “Corrupted File.” To ensure that it starts every time the infected system boots, this worm modifies the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Key in the Registry by adding the value "KernelFaultChk"="%systemroot%\sms.exe". Deadhat also finds the shared folder used by the Soulseek file-sharing program and then copies itself to this folder, assigning itself a name such as Norton.All.Products.KeyMkr.exe, F-Secure.Antivirus.Keymkr.exe, Windows2003Keygen.exe, WinZip.exe, or mIRC.v6.12.Keygen.exe. It opens TCP port 2766 to enable a remote attacker to connect to this port and then upload programs, which if done successfully causes them to immediately run. Additionally, Deadhat tries to kill processes that run in connection with antivirus and personal firewall software and also processes invoked by Novarg. If the infected system is infected with Norvarg, it keeps Norvarg from starting whenever the system boots by removing the Registry values that the various versions of Norvarg have added, including:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Explorer

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ TaskMon

HKEY_CURRENT_USER\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
\InprocServer32

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
\InprocServer32

Next it starts scanning sequential IP address ranges to locate ones on which ports 1080, 3127, and 3128 are active. Once connected, it sends a copy of itself to the location within the infected machine’s file system in which the Novarg executable resides, effectively eradicating Norvarg. Finally, this worm connects to an Internet Relay Chat (IRC) server, where it waits for commands to be sent to it.

Cleaning up after a Deadhat infection is not terribly difficult. You need to do a live update of the infected system’s anti-virus software, restart the system in Safe Mode or VGA mode, run a virus scan on all files in the system (confirming the deletion of each infected file that the antivirus software identifies), and finally delete the values that Deadhat adds to Registry keys. (NOTE: In Windows Me and XP systems the System Restore function must be performed before the steps described here.)

For more information about Deadhat and how to recover from an infection, go here.

Top

Deloder Worm

The Deloder (W32.Deloder-A) worm is proving to be a growing threat. This worm launches a "brute force" attack, sending one easy-to-guess password after another in an attempt to access shares on Windows systems such as Windows 95, 98, and Me and to gain access to administrator accounts on other Windows systems such as Windows NT, 2000 and XP. If the worm enters the correct password, it inserts a back door named "inst.exe" and changes the registry of the infected machine so that Deloder will start every time the infected system boots. Deloader also
slows down systems it infects. Be sure to delete all unneeded shares, and if you need to have shares, ensure that each is passworded with a strong (difficult-to-guess) password. Also be sure that every account on your Windows system has a strong password. If your system becomes infected with Deloder, visit the Symantec Web site.

Top

Duload Worm Strikes KaZaA Networks

A new network worm named "Duload" is spreading through the KaZaA file-sharing network. Written in Visual Basic, this worm is a Windows application in the form of a "normal" executable (Worm.P2P.Duload.a) or a compressed version (Worm.P2P.Duload.b). The former is 18432 bytes in length, whereas the latter is 7680 bytes. Duload infects a system when an attachment containing this worm is opened. Duload propagates itself to the Windows system directory, giving itself the name "SystemConfig.exe." It then changes the infected system's Registry so that Duload starts every time the infected Windows system boots. It also creates a directory named "Media" in the Windows directory and then self-copies there, naming itself with one of nearly 40 different names—e.g., "Warcraft 3 Battle.net Crack.exe," "The Sims Game Crack.exe," "Alicia Silverstone Playboy Nude.exe," "Kama Sutra Tetris.exe," "Pamela Anderson And Tommy Lee Home Video.exe," "Soldier Of Fortune 2 Mutiplayer Serial Hack.exe," and others. Additionally, Duload modifies the infected system's Registry to make the Media directory available to all KaZaA network users. Although not a destructive worm, one variant (Worm.P2P.Duload.a) downloads numerous Trojan horse programs that allow an attacker to gain remote control of an infected system.

Preventing Duload infections should be easy. The Lab prohibits the use of KaZaA and other file sharing programs, so if you avoid using KaZaA, you will not only conform to Lab regulations, but you will also prevent your system from getting infected by Duload.

Top

The Dumaru Worm

The Dumaru (W32.Dumaru@mm) worm purports to be a Microsoft bulletin from security@microsoft.com containing a patch (allegedly for Internet Explorer) that, if downloaded, infects Windows systems. The so-called patch is named "patch.exe." The first variant, Dumaru.A, installs itself as a file with one of the following paths: %systemroot%\dllreg.exe, %systemroot%\load32.exe, or %Systemroot%\vxdmgr32.exe. Dumaru.A also creates a mail engine that sends infected messages to addresses it finds in files and plants a Trojan horse program that causes the infected system to join an Internet Relay Chat (IRC) channel to receive and execute commands sent by the worm's author. In Windows NT/2000/XP
systems, it modifies the Registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, by adding the following entry:

"load32" = "%Windir%\load32.exe"

This causes Dumaru.A to start when the infected system boots. In Windows 95/98/Me systems, it instead adds

run=%Windir%\dllreg.exe

to the Windows section of win.ini, and also adds

shell=explorer.exe %System%\vxdmgr32.exe

to the boot section of system.ini to ensure that it starts during system boot time.

Dumaru.B is very similar to Dumaru.A, except that it can also copy itself as %systemroot%\Rundllw.exe. It also opens up three ports, TCP 1001, TCP 2283, and TCP 10000, and listens for any commands that are sent to these ports. Additionally, Dumaru.B attempts to infect all .exe files on every partition, but due to bugs in its code, it infects only files in the root folder of each partition. Worst of all, it plants a keystroke sniffer that picks up all keystrokes in the infected machine, enabling it to steal passwords, files, and so forth.

If your system becomes infected, download and run Symantec's Dumaru removal tool.

Top

The Erkez.D Worm

The Erkez.D (w32.Erkez.D or W32/Zafi.d@MM) worm targets Windows systems. It arrives as a message from a falsified address with a subject line such as "Merry Christmas!," "bolddog karacsony...," "Feliz Navidad!," and "Weihnachten card." Examples of messages are "Happy HollyDays! :) <sender_name>," "Feliz Navidad! :) <sender_name>," and "Joyeux Noel! :) <sender_name>," where <sender_name> is an email address. Cute graphics are included in the message. Attachments have a .bat, .cmd, .com, .pif, or .zip extension. Individuals who open any of these attachments infect their systems, causing Erkez.D to write itself into the system folder as:

%systemroot%\Norton Update.exe

Erkez.D also creates a log file, C:\s.cm. It looks for folders with "shar," "music," and "upload" in their name; if successful in finding these folders, it creates files in them with the following names:

winamp 5.7 new!.exe
ICQ 2005a new!.exe

This worm next creates a mutex, Wxp4, to keep more than one copy of this worm from infecting a system that it has already infected. It also changes two Registry settings. First, it adds the value

"Wxp4" = "%System%\Norton Update.exe"

to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

It then creates the following key to store information about itself:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4

Erkez.D next displays an error message that reads as follows:

Title: CRC: 04F7Bh
Message: Error in packed file!

It kills any process that has any of the following strings in its name:

msconfig
reged
task

and opens up a port (TCP 8181) that attackers can use for backdoor access. It also tries to find .exe files in folders with names that contain any of the following strings:

cafee
kasper
panda
secur
sopho
syman
trend
viru

If successful in its search, it tries to kill the processes that the executables (which run in connection with security-related functions) have spawned. Erkez.D harvests email addresses from the Windows Address Book as well as files in the infected computer that have extensions such as .abd, .adb, .asp, .dbx, .php, .tbb, and .wab.

It writes any addresses it finds in randomly named files with a .dll extension within %systemroot%. Finally, it creates a Simple Mail Transfer Protocol (SMTP) engine that spews messages with infected attachments to addresses that it has found.

How to Recover from an Erkez.D Infection

If your system becomes infected by Erkez.D, you should download and run Symantec's Erkez.D eradication tool, which is available here. You should also follow the procedures listed here to remove changes to the Registry as well as other changes that this worm makes.

Top