Wednesday, February 25, 2009

Net-Worm.Win32.Kido


Details


This malicious program exploits the MS08-067 vulnerability to spread via network resources and removable storage media.

This modification of the worm is a Windows PE DLL file. The file is 158110 bytes in size. It is packed using UPX.

Infection

The worm copies its executable file with random names to the following directories:

%System%\dir.dll
%Program Files%\Internet Explorer\.dll
%Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\tmp
%Temp%\.tmp

is a random string of symbols.

In order to ensure that the worm is launched next time the system is started, it creates a system service which launches the worm’s executable file each time Windows is booted. The following registry key will be created:

[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]

The name of the service will be created from combining words from the list below:

Boot
Center
Config
Driver
Helper
Image
Installer
Manager
Microsoft
Monitor
Network
Security
Server
Shell
Support
System
Task
Time
Universal
Update
Windows

The worm also modifies the following system registry key value:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs" = " %System%\.dll"

The worm hides its files in Explorer by modifying the registry key value shown below:

[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "dword: 0x00000002"
"SuperHidden" = "dword: 0x00000000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "dword: 0x00000000"

The worm flags its presence in the system by creating the unique identifier shown below:

Global\%rnd%-%rnd%

Propagation

In order to spread quickly via networks, the worm uses tcpip.sys functions to increase the number of potential network connections.

The worm connects to the servers shown below in order to determine the external IP address of the victim machine:

http://www.getmyip.org
http://www.whatsmyipaddress.com
http://www.whatismyip.org
http://checkip.dyndns.org

The worm then launches an HTTP server on a random TCP port; this is then used to download the worm's executable file to other computers.

Copies of the worm have the extensions listed below:
.bmp
.gif
.jpeg
.png

The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability (MS08-067) in the Server service. The worm sends a specially crafted RPC request to TCP ports 139 (NetBIOS) and 445 (Direct hosted SMB) remote machines on remote machines. This causes a buffer overrun when the wcscpy_s function is called in netapi32.dll, which launches code that downloads the worm's executable file to the victim machine and launches it. The worm is then installed on the new victim machine.

The worm then hooks the NetpwPathCanonicalize API call (netapi.dll) to prevent buffer overruns caused by the absence of a check on the size of outgoing strings. By doing this, the worm makes repeat exploitation of the vulnerability impossible.

In order to speed up propagation, the worm modifies the following registry value:

[HKLM\ SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"TcpNumConnections" = "dword:0x00FFFFFE"

In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. It searches the network for an appropriate machine and gets a list of users.

In order to gain administrator access, the worm copies itself to the following shared folders:

\\*\ADMIN$\System32\.
\\\IPC$\.

The worm can then be launched remotely or scheduled for remote launch using the following commands:

rundll32.exe ,

Spreading via removable storage media

The worm copies its executable file to all removable media under the following name:
:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-
%d%>-%d%>\.vmx, rnd is a string of random lower case letters; d is a random number; X
is the disk

In addition to its executable file, the worm also places the file shown below in the root of every disk:
:\autorun.inf

This file will launch the worm's executable file each time Explorer is used to open the infected disk.

When launching, the worm injects its code into the address space of one of the “svchost.exe” system processes. (The worm may also write its code to the “explorer.exe” and “services.exe” processes.) This code delivers the worm's main malicious payload and:

1. disables the following services:
2. Windows Automatic Update Service (wuauserv)
3. Background Intelligent Transfer Service (BITS)
4. Windows Security Center Service (wscsvc)
5. Windows Defender Service (WinDefend, WinDefender)
6. Windows Error Reporting Service (ERSvc)
Windows Error Reporting Service (WerSvc)
7. blocks access to addresses which contain any of the strings listed below:
8. nai
9. ca
10. avp
11. avg
12. vet
13. bit9
14. sans
15. cert
16. windowsupdate
17. wilderssecurity
18. threatexpert
19. castlecops
20. spamhaus
21. cpsecure
22. arcabit
23. emsisoft
24. sunbelt
25. securecomputing
26. rising
27. prevx
28. pctools
29. norman
30. k7computing
31. ikarus
32. hauri
33. hacksoft
34. gdata
35. fortinet
36. ewido
37. clamav
38. comodo
39. quickheal
40. avira
41. avast
42. esafe
43. ahnlab
44. centralcommand
45. drweb
46. grisoft
47. eset
48. nod32
49. f-prot
50. jotti
51. kaspersky
52. f-secure
53. computerassociates
54. networkassociates
55. etrust
56. panda
57. sophos
58. trendmicro
59. mcafee
60. norton
61. symantec
62. microsoft
63. defender
64. rootkit
65. malware
66. spyware
virus

In Windows Vista, the worm will disable autoconfiguration of the TCP/IP stack in order to speed up propagation via network channels by using a fixed window size for TCP packets:

netsh interface tcp set global autotuning=disabled
The worm also hooks the following API calls (dnsrslvr.dll) in order to block access to the list of user domains:

DNS_Query_A
DNS_Query_UTF8
DNS_Query_W
Query_Main
sendto

The worm may also download files from links of the type shown below:
http:///search?q=<%rnd2%>

rnd2 is a random number; URL is a link generated by a special algorithm which uses the current date. The worm gets the current date from one of the sites shown below:

http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com
http://www.myspace.com
http://www.msn.com
http://www.ebay.com
http://www.cnn.com
http://www.aol.com

Downloaded files are saved to the Windows system directory under their original names.

Removal Guide

If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, you can either use a special removal tool (which can be found here or follow the instructions below:
More details about the vulnerability can be found here:
http://www.kaspersky.ru/support/wks6mp3/error?qid=208636215
Or follow the instructions below:

1. Delete the following system registrykey:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]

2. Delete “%System%\.dll” from the system registry key value shown below:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"

3. Revert the following registry key values:
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "dword: 0x00000002"
"SuperHidden" = "dword: 0x00000000"
to
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "dword: 0x00000001"
"SuperHidden" = "dword: 0x00000001"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "dword: 0x00000000"
to
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "dword: 0x00000001"

4. Reboot the computer.

5. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).

6. Delete copies of the worm:

7. %System%\dir.dll

8. %Program Files%\Internet Explorer\.dll

9. %Program Files%\Movie Maker\.dll

10. %All Users Application Data%\.dll

11. %Temp%\.dll

12. %System%\tmp
%Temp%\.tmp
is a random string of symbols.

13. Delete the files shown below from all removable storage media:

:\autorun.inf
:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-
%d%>\.vmx,