When breaking into a remote computer, W32.Dalbug.Worm attempts to open the computer's Service Control Manager. If successful, it will install itself on the remote computer as a service. The service will have the following attributes:
- Service name: NtLmHosts
- Display name: TCP/IP NetBIOS Provider
- Description: Provides NetBIOS over TCP/IP (NetBT) service support for NetBIOS name resolution.
- Path: %windir%\System32\lmhsvc.exe
W32.Dalbug.Worm then copies itself as %windir%\System32\lmhsvc.exe, so that the worm is run each time that you restart the computer.
Once it is running, W32.Dalbug.Worm inserts and executes these files:
%windir% is a variable. It is the folder where Windows is installed. By default, this is C:\Winnt on Windows NT/2000 systems or C:\Windows on Windows XP systems.
It also inserts the file %windir%\System32\Lady.exe. This is a non-malicious joke program that is executed by Smss.exe and Csrss.exe once they are running.
The files Smss.exe and Csrss.exe have the same file names as two system files that reside in the %windir%\System32 folder. If you delete these files manually, make sure that you delete the copies that are in the home folder and not the ones in the System32 folder.
During execution, the Smss.exe and Csrss.exe files keep the service running, and checking every three seconds to make sure that it is still running. If you attempt to change or disable the service, it will immediately reinstall it. After 5 minutes of execution time, they activate the Lady.exe program , which will display a few flies crawling across the screen.
During its execution W32.Dalbug.Worm will periodically (every 10 seconds) also add the following registry values:
to the registry key
In addition, it tries to kill the Regedit.exe process if it is activated.
Smss.exe and Csrss.exe also try to create the these registry values, however if they detect that Regedit.exe is running, they will delete them (instead of creating them).
Finally, Smss.exe and Csrss.exe will also copy the worm to the following files:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":