Cart
Worm.Kibuv.A( Exploit.DCom.Gen, Exploit.LSASS.Gen )
SYMPTOMS: Presence of the registry entry:Vote For Kerry = KillBush.exe in HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key TECHNICAL DESCRIPTION: The worm spreads using the RPC and LSASS vulnerabilities (addressed inMicrosoft Security Bulletins MS03-026 and MS04-011, respectively); Upon execution, it does the following: Tries to create a mutex named BushDie (to prevent itself from infecting a computer more than once); Starts two threads used later to transfer itself to other computers being infected: - one thread listens on TCP port 420 for various control commmands; - the other thread opens a FTP server on port 9604 used for the actual transfer of the file; Starts another two threads used for infecting other computers: one tries to infect computers vulnerable to RPC vulerability and the other those vulnerable to LSASS vulnerability; Each of these last two threads continuously generates random IP addresses and scans the computer at each generated address (the remote computer) for RPC / LSASS vulnerability. If that remote computer is vulnerable, the worm in the infected computer sends it specially crafted IP packets containing a small piece of code which will be executed on that remote computer with full administrator rights. This code opens a shell on a TCP port and listens for commands. Then, the infected computer sends commands to that shell, causing it to download the entire worm's code (from the FTP server previously opened by the worm on the infected computer) and execute it on the remote computer, thereby finishing the infection process for that IP address. The worm contains the following unused string in it\'s file: Hello, LURHQ, Network Associates, F-Secure Corp, and anyone else I left out. I prefer you call this 'Bushkiller' or 'KillBush', and not something lame. Also, I'd like to introduce you to the new 'Team Spaz'. F**k NetSky and the like. Bush must go! Kerry 2004! :-)\' Removal instructions: Let BitDefender delete this worm's filesANALYZED BY: Adrian Gostin BitDefender Antivirus Researcher |