New worm Alert!Worm.Dvldr

[peter198400]

I got the below message from friend,please check it!

Harbin Institute of Technology & Antiy United Cert Group

Worm.Dvldr analysis report


On the Mar. 8th, 2003, Harbin Institute of Technology & Antiy United Cert Group found the abnormal network communication on several monitor nodes of the China Telecom and the China Education and Research Network.



Abnormal performances are as follows:

1. The monitor nodes find that several nodes send the TCP 445 package to a large quantity of target host.

2. Each abnormal node send the packages to the consecutive IP address.

Through the reverse checking we found the commonness on the target host.

1. The operating system is Windows NT/2000.

2. The operating system opened both the 5800 and 5900 ports of the AT&T remote manager.



After that, we contacted with administrator of the target host in time and obtained the samples.

The first checking results are as follows:

Under the system list, there is a executable program called Dvldr32.exe, which process the abnormal communication by sending a large quantity of data packages.

Besides, there are several abnormal files and abnormal regedit key assignments.

The lists of abnormal files are as follows:



File name
the possible directory
size

dvldr32.exe
%windir%/system32(NT/2K)

%windir%/system(9x)
745,984

explorer.exe
%windir%/fonts
212,992

omnithread_rt.dll
%windir%/fonts
57,344

VNCHooks.dll
%windir%/fonts
32,768

rundll32.exe
%windir%/fonts
29,336

cygwin1.dll
%windir%/system32(NT/2K)

%windir%/system(9x)
944,968

INST.exe
Cocuments and Settings\All Users\Start Menu\Programs\Startup
C:\WINDOWS\Start Menu\Programs\Startup\inst.exe
C:\WINNT\All Users\Start Menu\Programs\Startup\inst.exe
684,562


The regedit table is modified as follows:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMan"="C:\\WINDOWS\\Fonts\\rundll32.exe"
"Explorer"="C:\\WINDOWS\\Fonts\\explorer.exe"

[HKEY_CURRENT_USER\Software\ORL]

[HKEY_CURRENT_USER\Software\ORL\WinVNC3]
"SocketConnect"=dword:00000001
"AutoPortSelect"=dword:00000001
"InputsEnabled"=dword:00000001
"LocalInputsDisabled"=dword:00000000
"IdleTimeout"=dword:00000000
"QuerySetting"=dword:00000002
"QueryTimeout"=dword:0000000a
"Password"=hex:[here we do some shields]
"PollUnderCursor"=dword:00000001
"PollForeground"=dword:00000001
"PollFullScreen"=dword:00000001
"OnlyPollConsole"=dword:00000001
"OnlyPollOnEvent"=dword:00000001

[HKEY_CURRENT_USER\Software\ORL\VNCHooks]

[HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs]

[HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\EXPLORER.EXE]

The forwarded analysis is as follows:

Dvldr32.exe is packed by Aspack. This virus, which is written by MS VC6.0, send out amount of packages with the aim to infect the network. This File also include 3 executable files. Two of them are "Psexesvc" and "Remote process lancher". They are command tools which published by Sysinternals Corporation. They don't create to the file system, and been called by the Dvldr32.exe only. Another program is a install package which made by a uncommon install tool. The package include 5 files,3 of them (Explorer.exe,VNCdll32.dll and Omnithread_rt.dll) are networking managerial tools which belong to the corporation AT&T.

Rundll32.dll is not the normal one in the Microsoft operating system. It maybe a Linux's program which transplanted to Windows. We have been still analysising the basic principle in it.

Spread principle:

When running , the program will select 2 IP section in random and connect the target host's port on 445 to get networking package. Once the target machine's administrator's password is null or in the list which included in this file , the program will copy itself to its system.

Backdoor:

The virus uses the regular system managerial tool--VCN(edition is 3.3.3.9) as its backdoor, and installs it to the target computer's operating system. Though some technical disposals, the icon will not appear when VNC is running. Because the VNC cannot connect the computer when the machine is locked, this function is limited.

User can do:

The user with NT/2K OS must set a strong password of admin at first, then use AntiyPort

http://www.antiy.net/download/antiyports.exe

or other process managerial tools to kill the process named dvldr32.exe.After doing this, user must delete all files appeared in the above table, and then restart your computer.



The special kill tool & the forwarded response message:

Harbin Institute of Technology & Antiy United Cert Group will go on paying our attentions on the developing state of affairs. And we will release the in-depth analysis report.

We will also release two copies (both the Chinese and the English ones) of the special kill tool at about 21:40 Beijing Time (the Mar. 8th, 2003 )

On the Mar.9th, 2003 of the Beijing Time, the anti-virus database will be updated.

after that,you can download Antiy Ghostbusters datebase file here

http://www.antiy.net/update/ex.gbl

you can overwrite same file in Antiy Ghostbusters install path(default is :\Program Files\Antiy Labs\Antiy Ghostbusters)

after that you can check this worm by Antiy Ghostbusters.

more information of Antiy ghostbusters

http://www.antiy.net/ghostbusters

¡¡

password list of this worm

[MrLinus]

http://www.net-security.org/virus_item.php?id=4433

Ah. So this is why there was such an increase in the probes of port 445 recently at http://www.incidents.org .

Windows people should be looking for a patch or AV updates.

[kadeng]

Thx for the link for downloading antiyports.exe its a nice tool!!

greenies for you.