Detection added	Jan 07 2009
Update released	Jan 08 2009 05:44 GMT
Description added	Feb 20 2009

• Technical details
• Payload
• Removal instructions

This network worm spreads via local networks and removable storage media. When it copies itself to remote computers, the worm creates a temporary file with a random extension. The program itself is a Windows PE DLL file. The worm components vary in size from 155KB to 165KB. It is packed using UPX.

Installation

The worm copies its executable file with random names as shown below:

%System%\<rnd>dir.dll
%Program Files%\Internet Explorer\<rnd>.dll 
%Program Files%\Movie Maker\<rnd>.dll 
%All Users Application Data%\<rnd>.dll 
%Temp%\<rnd>.dll 
%System%\<rnd>tmp 
%Temp%\<rnd>.tmp

<rnd> is a random string of symbols.

In order to ensure that the worm is launched next time the system is started, it creates a system service which launches the worm’s executable file each time Windows is booted. The following registry key will be created:

[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]

The worm also modifies the following system registry key value:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = "<original value> %System%\<rnd>.dll"

Propagation

The worm then launches an HTTP server on a random TCP port; this is then used to download the worm's executable file to other computers.

The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability (MS08-067) in the Server service. The worm sends a specially crafted RPC request to remote machines. This causes a buffer overrun when the wcscpy_s function is called in netapi32.dll; this launches code that downloads the worm's executable file to the victim machine and launches it. The worm is then installed on the new victim machine.

In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. The worm uses the passwords shown below to brute force the account:

Spreading via removable storage media

The worm copies its executable file to all removable media under the following name:

<X>:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%>\<rnd>.vmx,

In addition to its executable file, the worm also places the file shown below in the root of every disk:

<X>:\autorun.inf

This file will launch the worm's executable file each time Explorer is used to open the infected disk.

When launched, the worm injects its code in the address space of one of the active “svchost.exe” system processes. This code delivers the worm's main malicious payload and:

• disables the following services:

  wuauserv
  BITS

• blocks access to addresses which contain any of the strings listed below:

  indowsupdate
  wilderssecurity
  threatexpert
  castlecops
  spamhaus
  cpsecure
  arcabit
  emsisoft
  sunbelt
  securecomputing
  rising
  prevx
  pctools
  norman
  k7computing
  ikarus
  hauri
  hacksoft
  gdata
  fortinet
  ewido
  clamav
  comodo
  quickheal
  avira
  avast
  esafe
  ahnlab
  centralcommand
  drweb
  grisoft
  eset
  nod32
  f-prot
  jotti
  kaspersky
  f-secure
  computerassociates
  networkassociates
  etrust
  panda
  sophos
  trendmicro
  mcafee
  norton
  symantec
  microsoft
  defender
  rootkit
  malware
  spyware
  virus

The worm may also download files from links of the type shown below:

http://<URL>/search?q=<%rnd2%> 

rnd2 is a random number; URL is a link generated by a special algorithm which uses the current date. The worm gets the current date from one of the sites shown below:

http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com

Downloaded files are saved to the Windows system directory under their original names.

If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, you can either use a special removal tool (which can be found here or follow the instructions below:

1. Delete the following system registry key:

   [HKLM\SYSTEM\CurrentControlSet\Services\netsvcs] 

2. Delete “%System%\<rnd>.dll” from the system registry key value shown below:

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
   "netsvcs"

3. Reboot the computer.
4. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
5. Delete copies of the worm:

   %System%\<rnd>dir.dll
   %Program Files%\Internet Explorer\<rnd>.dll 
   %Program Files%\Movie Maker\<rnd>.dll 
   %All Users Application Data%\<rnd>.dll 
   %Temp%\<rnd>.dll 
   %System%\<rnd>tmp 
   %Temp%\<rnd>.tmp

   <rnd> is a random string of symbols.

6. Delete the files shown below from all removable storage media:

   <X>:\autorun.inf
   <X>:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%>\<rnd>.vmx,
   

7. Download and install updates for the operating system:

    http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

   Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).