Stealther Worm Exploits RPC Flaw
A new worm / trojan has been discovered that exploits the RPC flaw from MS Security Bulletin MS03-026:
This one is kind of sneaky so beware and keep your eyes open.
This trojan has been found to be widespread among several universities. In these cases, the recent DCOM RPC vulnerablity has been exploited to copy a backdoor trojan (detected as BackDoor-TC since the 4255 DAT files), and the patch for the DCOM RPC vulnerability. Exploited systems are patched, the backdoor is installed, and the Stealther trojan conceals both the backdoor and itself.
The stealther trojan is designed to hide running processes, files, and registry keys. When run, any file name matching CSRS*.EXE will be hidden from the user. Booting an infected system in to Safe Mode, or connecting to it via network share are 2 ways to view the stealth files.
Details of the recent attack are as follows. Compromised systems contain the following files:
%WinDir%\system32\csrsv.exe Stealther trojan
%WinDir%\system32\csrsu.exe ExeStealth packed BackDoor-TC trojan
c:\update.exe MS03-026 patch
The following registry keys are present:
The CSRSPX key is responsible for loading the Stealther trojan, to conceal the presence of any file named CSRS*.EXE (in this case the backdoor trojan, as well as the Stealther trojan). Reports have varied in which TCP Port the backdoor trojan is listening on, and is likely configured by the hacker(s) responsible for these attacks.
Anyone recognize this virus? msblast.exe?
Found a file called msblast.exe. A friend and client both called me saying they were having the same problems. Their box would constantly reboot with a shutdown message of 1 minute right after rpc crashed on them.
Was able to get into the machines and get a command shell remotely, and tftp'ed over some files like fport, pslist, pskill.exe, strings.exe etc. Did a dir in windows\system32 by date and found a strange file.
The file is msblast.exe. It is packed with UPX, and after unpacking, strings.exe shows that it contains the following strings in the executable:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your softw
tftp -i %s GET %s
windows auto update
It installs itself into SOFTWARE\Microsoft\Windows\CurrentVersion\Run as Windows Auto Update.
As you can see from the strings it tftp's something down to the infected computer. I did find a tftp file in the windows\system32 directory but it was 0 bytes.
Thats all I have been able to figure out so far. Going to install it on a test box and see what it does :)
I have searched and couldnt find any references to this virus online. Not sure if it is a revised older virus or a new one. I think it may spread by the rpc/dcom exploit, as both servers that were compromised with this, were also able to be compromised by the rpc/dcom exploit.
Anyone have any further info?