Stealther Worm Exploits RPC Flaw
A new worm / trojan has been discovered that exploits the RPC flaw from MS Security Bulletin MS03-026:
Quote:
This trojan has been found to be widespread among several universities. In these cases, the recent DCOM RPC vulnerablity has been exploited to copy a backdoor trojan (detected as BackDoor-TC since the 4255 DAT files), and the patch for the DCOM RPC vulnerability. Exploited systems are patched, the backdoor is installed, and the Stealther trojan conceals both the backdoor and itself.
The stealther trojan is designed to hide running processes, files, and registry keys. When run, any file name matching CSRS*.EXE will be hidden from the user. Booting an infected system in to Safe Mode, or connecting to it via network share are 2 ways to view the stealth files.
Details of the recent attack are as follows. Compromised systems contain the following files:
%WinDir%\system32\csrsv.exe Stealther trojan
%WinDir%\system32\csrsu.exe ExeStealth packed BackDoor-TC trojan
c:\update.exe MS03-026 patch
The following registry keys are present:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSRSPX
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSRSWIN1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSPX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CSRSWIN1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\CSRSPX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\CSRSWIN1
The CSRSPX key is responsible for loading the Stealther trojan, to conceal the presence of any file named CSRS*.EXE (in this case the backdoor trojan, as well as the Stealther trojan). Reports have varied in which TCP Port the backdoor trojan is listening on, and is likely configured by the hacker(s) responsible for these attacks.
This one is kind of sneaky so beware and keep your eyes open.
McAfee AVERT
Trend Micro
Anyone recognize this virus? msblast.exe?
Found a file called msblast.exe. A friend and client both called me saying they were having the same problems. Their box would constantly reboot with a shutdown message of 1 minute right after rpc crashed on them.
Was able to get into the machines and get a command shell remotely, and tftp'ed over some files like fport, pslist, pskill.exe, strings.exe etc. Did a dir in windows\system32 by date and found a strange file.
The file is msblast.exe. It is packed with UPX, and after unpacking, strings.exe shows that it contains the following strings in the executable:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your softw
are!!
MARB
MEOW
MEOW(
MEOW
~'?bB
41Qk
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
htons
ioctlsocket
inet_addr
inet_ntoa
recvfrom
select
send
sendto
setsockopt
socket
gethostbyname
bind
gethostname
closesocket
WSAStartup
WSACleanup
connect
getpeername
getsockname
WSASocketA
InternetGetConnectedState
ExitProcess
ExitThread
GetCommandLineA
GetDateFormatA
GetLastError
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetTickCount
RtlUnwind
CreateMutexA
Sleep
TerminateThread
CreateThread
RegCloseKey
RegCreateKeyExA
RegSetValueExA
__GetMainArgs
atoi
exit
fclose
fopen
fread
memcpy
memset
raise
rand
signal
sprintf
srand
strchr
strtok
WS2_32.DLL
WININET.DLL
KERNEL32.DLL
ADVAPI32.DLL
CRTDLL.DLL
It installs itself into SOFTWARE\Microsoft\Windows\CurrentVersion\Run as Windows Auto Update.
As you can see from the strings it tftp's something down to the infected computer. I did find a tftp file in the windows\system32 directory but it was 0 bytes.
Thats all I have been able to figure out so far. Going to install it on a test box and see what it does :)
I have searched and couldnt find any references to this virus online. Not sure if it is a revised older virus or a new one. I think it may spread by the rpc/dcom exploit, as both servers that were compromised with this, were also able to be compromised by the rpc/dcom exploit.
Anyone have any further info?
Grinler