sobota 25. února 2012

Worm:Win32/Rorpian


Encyclopedia entry
Updated: May 19, 2011  |  Published: Mar 19, 2011

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.332.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.99.1548.0
Released: Mar 19, 2011


 

Summary

Worm:Win32/Rorpian are a family of worms capable of spreading through network shares and by exploiting vulnerabilities such as the Domain Name System (DNS) Server Service vulnerability. The worm usually downloads additional malware on the affected computer.


 

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:

    %TEMP%\srv950.tmp
    %TEMP%\srv864.tmp
    %TEMP%\srv950.ini
    %TEMP%\srv864.ini
    setup.fon 
    setup.lnk 
    myporno.avi.lnk 
    pornmovs.lnk 
    autorun.inf 
  • The presence of the following registry modifications:

    In subkey: HKLM\system\currentcontrolset\services\srv\parameters
    Sets value: "servicedll"
    With data: "\\?\globalroot\device\harddiskvolume1\%TEMP%\srv.tmp"
    In subkey: HKLM\software\microsoft\windows nt\currentversion\svchost
    Sets value: "netsvcs"
    With data: "srv"

    In subkey: HKLM\system\currentcontrolset\services\srv
    Sets value: "imagepath"
    With data: "%systemroot%\system32\svchost.exe -k netsvcs"

    In subkey: HKLM\system\currentcontrolset\control\safeboot\minimal\srv
    Sets value: “(default)”
    With data: “service


 

Technical Information (Analysis)

Worm:Win32/Rorpian are a family of worms capable of spreading through network shares and by exploiting vulnerabilities such as the Domain Name System (DNS) Server Service vulnerability. The worm usually downloads additional malware on the affected computer.
Installation
Upon execution, Worm:Win32/Rorpian copies itself to the %TEMP% folder using a file name in the format “srv<random number>.tmp”. For example:
  • %TEMP%\srv950.tmp
  • %TEMP%\srv864.tmp
It also creates a text file in the %TEMP% folder with the same name as its dropped copy, but with a “.ini” extension. For example:
  • %TEMP%\srv950.ini
  • %TEMP%\srv864.ini
The worm then creates the following registry entries to ensure its copy executes at each Windows start:
In subkey: HKLM\system\currentcontrolset\services\srv\parameters
Sets value: "servicedll"
With data: "\\?\globalroot\device\harddiskvolume1\%TEMP%\srv<random number>.tmp"
In subkey: HKLM\software\microsoft\windows nt\currentversion\svchost
Sets value: "netsvcs"
With data: "srv<random number>"
In subkey: HKLM\system\currentcontrolset\services\srv<random number>
Sets value: "imagepath"
With data: "%systemroot%\system32\svchost.exe -k netsvcs"
In subkey: HKLM\system\currentcontrolset\control\safeboot\minimal\srv<random number>
Sets value: “(default)”
With data: “service
Spreads via...
Network shares
Worm:Win32/Rorpian spreads by enumerating all network shares, copying itself to the share, along with a number of other files. It also creates anautorun.inf file that launches the worm executable when the share is accessed, as well as a shortcut (.LNK) file which exploits the vulnerability described inMicrosoft Security Bulletin MS10-046.
The files it creates in discovered shares are listed below:
Via exploits
Some variants of Worm:Win32/Rorpian have the capability of spreading by exploiting a vulnerability in the Domain Name System (DNS) Server Service. The worm does a network scan in order to search for exploitable computers, copying itself to the computer if it is vulnerable. More information about this vulnerability can be found here: Microsoft Security Bulletin MS07-029
Payload
Downloads and executes arbitrary files
Worm:Win32/Rorpian is also capable of downloading and executing additional malware on the compromised computer. It contacts a particular I.P. address and downloads files to the %Windows%\temp folder using file names such as “e.tmp”, “f.tmp”, and “10.tmp”. It may contact a number of URLs that have the format shown below:
  • hxxp://<domain>//srv
  • hxxp://<domain>/service/listerner.php?affid=<number>
  • hxxp://<domain>//dll
  • hxxp://<domain>/service/scripts/files/aff_<number>.dll
  • hxxp://<domain>/soft/installer_m_<number>.exe
At the time of writing, variants of this worm have been observed downloading Win32/Alureon onto the affected computer. Later variants have also been observed downloading and installing Rogue:Win32/FakeRean.
Analysis by Amir Fouda

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.