Worm.Dvldr analysis report

[chinasandy]

Harbin Institute of Technology & Antiy United Cert Group

Worm.Dvldr analysis report
(Download Check and Kill Tool,It's Free )



On the Mar. 8th, 2003, Harbin Institute of Technology & Antiy United Cert Group found the abnormal network communication on several monitor nodes of the China Telecom and the China Education and Research Network.



Abnormal performances are as follows:

1. The monitor nodes find that several nodes send the TCP 445 package to a large quantity of target host.

2. Each abnormal node send the packages to the consecutive IP address.

Through the reverse checking we found the commonness on the target host.

1. The operating system is Windows NT/2000.

2. The operating system opened both the 5800 and 5900 ports of the AT&T remote manager.



After that, we contacted with administrator of the target host in time and obtained the samples.

The first checking results are as follows:

Under the system list, there is a executable program called Dvldr32.exe, which process the abnormal communication by sending a large quantity of data packages.

Besides, there are several abnormal files and abnormal regedit key assignments.

The lists of abnormal files are as follows:



File name
the possible directory
size

dvldr32.exe
%windir%/system32(NT/2K)

%windir%/system(9x)
745,984

explorer.exe
%windir%/fonts
212,992

omnithread_rt.dll
%windir%/fonts
57,344

VNCHooks.dll
%windir%/fonts
32,768

rundll32.exe
%windir%/fonts
29,336

cygwin1.dll
%windir%/system32(NT/2K)

%windir%/system(9x)
944,968

INST.exe
Cocuments and Settings\All Users\Start Menu\Programs\Startup
C:\WINDOWS\Start Menu\Programs\Startup\inst.exe
C:\WINNT\All Users\Start Menu\Programs\Startup\inst.exe
684,562


The regedit table is modified as follows:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMan"="C:\\WINDOWS\\Fonts\\rundll32.exe"
"Explorer"="C:\\WINDOWS\\Fonts\\explorer.exe"

[HKEY_CURRENT_USER\Software\ORL]

[HKEY_CURRENT_USER\Software\ORL\WinVNC3]
"SocketConnect"=dword:00000001
"AutoPortSelect"=dword:00000001
"InputsEnabled"=dword:00000001
"LocalInputsDisabled"=dword:00000000
"IdleTimeout"=dword:00000000
"QuerySetting"=dword:00000002
"QueryTimeout"=dword:0000000a
"Password"=hex:[here we do some shields]
"PollUnderCursor"=dword:00000001
"PollForeground"=dword:00000001
"PollFullScreen"=dword:00000001
"OnlyPollConsole"=dword:00000001
"OnlyPollOnEvent"=dword:00000001

[HKEY_CURRENT_USER\Software\ORL\VNCHooks]

[HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs]

[HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\EXPLORER.EXE]

The forwarded analysis is as follows:

Dvldr32.exe is packed by Aspack. This virus, which is written by MS VC6.0, send out amount of packages with the aim to infect the network. This File also include 3 executable files. Two of them are "Psexesvc" and "Remote process lancher". They are command tools which published by Sysinternals Corporation. They don't create to the file system, and been called by the Dvldr32.exe only. Another program is a install package which made by a uncommon install tool. The package include 5 files,3 of them (Explorer.exe,VNCdll32.dll and Omnithread_rt.dll) are networking managerial tools which belong to the corporation AT&T.

Rundll32.dll is not the normal one in the Microsoft operating system. It maybe a Linux's program which transplanted to Windows. We have been still analysising the basic principle in it.

Spread principle:

When running , the program will select 2 IP section in random and connect the target host's port on 445 to get networking package. Once the target machine's administrator's password is null or in the list which included in this file , the program will copy itself to its system.

Backdoor:

The virus uses the regular system managerial tool--VCN(edition is 3.3.3.9) as its backdoor, and installs it to the target computer's operating system. Though some technical disposals, the icon will not appear when VNC is running. Because the VNC cannot connect the computer when the machine is locked, this function is limited.

User can do:

The user with NT/2K OS must set a strong password of admin at first, then use AntiyPort

http://www.antiy.net/download/antiyports.exe

or other process managerial tools to kill the process named dvldr32.exe.After doing this, user must delete all files appeared in the above table, and then restart your computer.



The special kill tool & the forwarded response message:

Harbin Institute of Technology & Antiy United Cert Group will go on paying our attentions on the developing state of affairs. And we will release the in-depth analysis report.

Free Kill Tool

http://www.antiy.net/download/killdvldr.exe

On the Mar.9th, 2003 of the Beijing Time, the anti-virus database of Antiy Ghostbusterswill be updated.

after that,you can download Antiy Ghostbusters datebase file here

http://www.antiy.net/update/ex.gbl

you can overwrite same file in Antiy Ghostbusters install path(default is :\Program Files\Antiy Labs\Antiy Ghostbusters)

after that you can check this worm by Antiy Ghostbusters.

more information of Antiy ghostbusters

http://www.antiy.net/ghostbusters

¡¡

password list of this worm

.data:0040A038 dd offset aAdmin ; "admin"
.data:0040A03C dd offset aAdmin_0 ; "Admin"
.data:0040A040 dd offset aPassword ; "password"
.data:0040A044 dd offset aPassword_0 ; "Password"
.data:0040A048 dd offset a1 ; "1"
.data:0040A04C dd offset a12 ; "12"
.data:0040A050 dd offset a123 ; "123"
.data:0040A054 dd offset a1234 ; "1234"
.data:0040A058 dd offset a12345 ; "12345"
.data:0040A05C dd offset a123456 ; "123456"
.data:0040A060 dd offset a1234567 ; "1234567"
.data:0040A064 dd offset a12345678 ; "12345678"
.data:0040A068 dd offset a123456789 ; "123456789"
.data:0040A06C dd offset a654321 ; "654321"
.data:0040A070 dd offset a54321 ; "54321"
.data:0040A074 dd offset a111 ; "111"
.data:0040A078 dd offset a000000 ; "000000"
.data:0040A07C dd offset a00000000 ; "00000000"
.data:0040A080 dd offset a11111111 ; "11111111"
.data:0040A084 dd offset a88888888 ; "88888888"
.data:0040A088 dd offset aPass ; "pass"
.data:0040A08C dd offset aPasswd ; "passwd"
.data:0040A090 dd offset aDatabase ; "database"
.data:0040A094 dd offset aAbcd ; "abcd"
.data:0040A098 dd offset aAbc123 ; "abc123"
.data:0040A09C dd offset aOracle ; "oracle"
.data:0040A0A0 dd offset aSybase ; "sybase"
.data:0040A0A4 dd offset a123qwe ; "123qwe"
.data:0040A0A8 dd offset aServer ; "server"
.data:0040A0AC dd offset aComputer ; "computer"
.data:0040A0B0 dd offset aInternet ; "Internet"
.data:0040A0B4 dd offset aSuper ; "super"
.data:0040A0B8 dd offset a123asd ; "123asd"
.data:0040A0BC dd offset aIhavenopass ; "ihavenopass"
.data:0040A0C0 dd offset aGodblessyou ; "godblessyou"
.data:0040A0C4 dd offset aEnable ; "enable"
.data:0040A0C8 dd offset aXp ; "xp"
.data:0040A0CC dd offset a2002 ; "2002"
.data:0040A0D0 dd offset a2003 ; "2003"
.data:0040A0D4 dd offset a2600 ; "2600"
.data:0040A0D8 dd offset a0 ; "0"
.data:0040A0DC dd offset a110 ; "110"
.data:0040A0E0 dd offset a111111 ; "111111"
.data:0040A0E4 dd offset a121212 ; "121212"
.data:0040A0E8 dd offset a123123 ; "123123"
.data:0040A0EC dd offset a1234qwer ; "1234qwer"
.data:0040A0F0 dd offset a123abc ; "123abc"
.data:0040A0F4 dd offset a007 ; "007"
.data:0040A0F8 dd offset aAlpha ; "alpha"
.data:0040A0FC dd offset aPatrick ; "patrick"
.data:0040A100 dd offset aPat ; "pat"
.data:0040A104 dd offset aAdministrator ; "administrator"
.data:0040A108 dd offset aRoot ; "root"
.data:0040A10C dd offset aSex ; "sex"
.data:0040A110 dd offset aGod ; "god"
.data:0040A114 dd offset aFoobar ; "foobar"
.data:0040A118 dd offset aA ; "a"
.data:0040A11C dd offset aAaa ; "aaa"
.data:0040A120 dd offset aAbc ; "abc"
.data:0040A124 dd offset aTest ; "test"
.data:0040A128 dd offset aTest123 ; "test123"
.data:0040A12C dd offset aTemp ; "temp"
.data:0040A130 dd offset aTemp123 ; "temp123"
.data:0040A134 dd offset aWin ; "win"
.data:0040A138 dd offset aPc ; "pc"
.data:0040A13C dd offset aAsdf ; "asdf"
.data:0040A140 dd offset aSecret ; "secret"
.data:0040A144 dd offset aQwer ; "qwer"
.data:0040A148 dd offset aYxcv ; "yxcv"
.data:0040A14C dd offset aZxcv ; "zxcv"
.data:0040A150 dd offset aHome ; "home"
.data:0040A154 dd offset aXxx ; "xxx"
.data:0040A158 dd offset aOwner ; "owner"
.data:0040A15C dd offset aLogin ; "login"
.data:0040A160 dd offset aLogin_0 ; "Login"
.data:0040A164 dd offset aPwd ; "pwd"
.data:0040A168 dd offset aPass ; "pass"
.data:0040A16C dd offset aLove ; "love"
.data:0040A170 dd offset aMypc ; "mypc"
.data:0040A174 dd offset aMypc123 ; "mypc123"
.data:0040A178 dd offset aAdmin123 ; "admin123"
.data:0040A17C dd offset aPw123 ; "pw123"
.data:0040A180 dd offset aMypass ; "mypass"
.data:0040A184 dd offset aMypass123 ; "mypass123"