[Dshield] anti-mydoom worm

David Vincent david.vincent at mightyoaks.com
Thu Feb 12 17:33:23 GMT 2004


> Just noticed it on the register site. 
> 
> http://www.theregister.co.uk/content/56/35524.html
> 
> "A new variant of the Nachi worm which attempts to cleanse computers
> infected by MyDoom and download Microsoft security patches to 
> unprotected
> computers has careened onto the Net this morning. "
> 
> sophos http://www.sophos.com/virusinfo/analyses/w32nachib.html
> 
> 
> it's all going mad I tell you.
> 
> ~Andy


from the packet-ninjas mailing list:

daniel, hope you don't mind.

-d


-----Original Message-----
From: daniel uriah clemens
[mailto:daniel_clemens at autism.birmingham-infragard.org]
Sent: Wednesday February 11, 2004 5:28 PM
To: birmingham-infragard at birmingham-infragard.org
Cc: packet-ninjas at birmingham-infragard.org
Subject: [Packet-ninjas-syn-k1ck] nachi.b is out.



Arrival and Installation

This worm creates a MUTEX, Wkspatch_mutex, to check if it is already
memory-resident. It drops a copy of itself as the file SVCHOST.EXE in the
Windows system folder.

It adds the following registry key so that it executes as a service every
Windows startup:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\WksPatch

Network Propagation and Exploits

This Nachi variant takes advantage of the following vulnerabilities:

    * Remote Procedure Call (RPC) Distributed Component Object Model
(DCOM) vulnerability
    * WebDAV vulnerability
    * IIS5/WEBDAV Buffer Overrun vulnerability

For more information about these Windows vulnerabilities, please refer to
the following Microsoft Web pages:

    * Microsoft Security Bulletin MS03-026
    * Microsoft Security Bulletin MS03-007
    * Microsoft Security Bulletin MS03-049

Downloading Patches

This malware also patches the system against the RPC DCOM Buffer Overflow
vulnerability.

First, it scans the operating system version and locale information. Next,
it checks for Internet connectivity by connecting to the following sites:

    * google.com
    * intel.com
    * microsoft.com

It then downloads the appropriate patch from a designated Microsoft Web
site. After executing the said patch, it restarts the system.

Some of the patches that it uploads to the system are as follows:

    *
http://download.microsoft.com/download/4/d/3/4d375d48-04c7-411f-959b-3467c5e
f1e9a/WindowsXP-KB828035-x86-CHS.exe
    *
http://download.microsoft.com/download/a/4/3/a43ea017-9abd-4d28-a736-2c17dd4
d7e59/WindowsXP-KB828035-x86-KOR.exe
    *
http://download.microsoft.com/download/e/a/e/eaea4109-0870-4dd3-88e0-a34035d
c181a/WindowsXP-KB828035-x86-ENU.exe
    *
http://download.microsoft.com/download/9/c/5/9c579720-63e9-478a-bdcb-70087cc
ad56c/Windows2000-KB828749-x86-CHS.exe
    *
http://download.microsoft.com/download/0/8/4/084be8b7-e000-4847-979c-c26de09
29513/Windows2000-KB828749-x86-KOR.exe
    *
http://download.microsoft.com/download/3/c/6/3c6d56ff-ff8e-4322-84cb-3bf9a91
5e6d9/Windows2000-KB828749-x86-ENU.exe

Other Details

The following text can be found in the body of this malware:

LET HISTORY TELL FUTURE !

1931.9.18
1937.7.7
1937.12.13 300,000 !

1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso

1945.8.15
Let history tell future !


Analysis by: Alejandro Mendoza III



Description created: 4 hours, 22 minutes ago
(Feb. 11, 2004 5:37:57 PM GMT -0800)
Description updated: 4 hours, 22 minutes ago
(Feb. 11, 2004 5:37:55 PM GMT -0800)



-Daniel Uriah Clemens

Esse quam videra
		(to be, rather than to appear)
	             -Moments of Sorrow are Moments of Sobriety
                      { o)2059686335             c)2055676850 }

_______________________________________________
Packet-ninjas mailing list
Packet-ninjas at birmingham-infragard.org
http://birmingham-infragard.org/mailman/listinfo/packet-ninjas




More information about the list mailing list