W32.Tkbot.Worm

W32.Tkbot.Worm is a worm that scans and attacks random Web sites using the Unicode directory traversal vulnerability in Microsoft IIS to gain access to vulnerable computers.

If W32.Tkbot.Worm gains access to a vulnerable computer, the following events occur:

1. The IRC client, which is part of W32.Tkbot.Worm, directs the computer to open an FTP connection to a specified remote host on the Internet.
2. The files, Httpodbc.dll and Tk1.exe, are downloaded form the remote host to the vulnerable computer and executed. This action infects the vulnerable computer with the worm.
3. Once the computer is infected, the IRC client that is part of the worm is run.
4. The IRC client uses port 1297 to connect to an IRC server, which is specified in a configuration file. Once the IRC client connects to the server, it joins a specific channel and repeats the process.

All the infected computers are connected to the IRC channel on the IRC server, which is defined in one of the worm's configuration files. Each one is given a unique name when it joins the channel. Then, the attacker can log into the IRC server, join the appropriate channel, and see all the compromised computers.

The attacker can also log into the IRC client that resides on a given infected computer, allowing the attacker full administrator access to the infected computer. The worm loads a script that contains the scripting commands. Then, the attacker can execute the script.

Microsoft has a patch for the vulnerability, available at: http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.

Other actions
W32.Tkbot.Worm also performs these actions:

1. Creates the following folders and sets their attributes to Hidden and System attributes:
   • C:\Progra~1\Microsoft\Update
   • C:\Progra~1\Microsoft\Update\DLL
   • C:\Progra~1\Microsoft\Update\DLL\TK
   • C:\Winnt\System32\Shellext\System
   • C:\Winnt\System32\Shellext\System\tk
     
2. Creates the following files in the C:\Progra~1\Microsoft\Update\DLL\TK folder:
   • Crk.vxd
   • D.exe*
   • Firedaemon.exe*
   • Fport.exe*
   • Hit.lst
   • Httpodbc.dll
   • I.p
   • J.dll*
   • Jn.cnf
   • K.exe*
   • Libeay32.dll*
   • Ms.vxd
   • Mstaskmgr.exe
   • P.ub
   • Q269862_w2k_sp2_x86_en.exe*
   • R.dll*
   • Reg.bat*
   • Remote.ini*
   • Rs.exe
   • Rundll.exe
   • Servucert.crt*
   • Servucert.key*
   • Servudaemon.ini
   • Servustartuplog.txt
   • Srv.cnf
   • Ssleay32.dll*
   • Su.txt
   • Suw.txt
   • Task.cnf
   • Tk.conf
   • Tk00.tmp
   • Tk1.exe
   • Tzolibr.dll*
   • Wait.com*
   • Xcacls.exe*
     
     NOTES:
     • Some variants may also infect the system with Backdoor.Vmz.
     • W32.Tkbot.Worm may also create the C:\Winnt\System32\P.ub file.
     • The files marked with * (an asterisk) are commercial or publicly available programs. They are not infected, and as such, Symantec antivirus products do not detect them.
       
3. Creates the registry key:
   
   HKEY_CURRENT_USER\Software\mIRC\License
   
   with the value:
   
   @ 8557-785634
   
4. Creates the registry key:
   
   HKEY_CURRENT_USER\Software\mIRC\UserName
   
   with the value:
   
   @ Double A Ron
   
5. Creates the registry key:
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTaskMgr
   
   with the values:
   
   DisplayName MSTaskMgr
   Description Microsoft task manager monitor
   
6. Creates the registry key:
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rundll
   
   with the values:
   
   DisplayName rundll
   Description Rundll system process
   
7. Registers MSTaskmgr.exe and Rundll.exe as services with the following names:
   • Firedaemon Service: MSTaskMgr
   • Firedaemon Service: Rundll
     
     NOTE: Some variants may modify these names as:
     • MSTaskMgr
     • Rundll
       
8. Uses Net Start to start the two services on the infected computer.
9. Deletes the files:
   • C:\Winnt\System32\Ftp.exe
   • C:\Winnt\System32\Tftp.exe
     
     Some variants may also delete all the files from C:\Inetpub\Scripts.
     
10. Stops the service, "World Wide Web Publishing Service."
11. Deletes the folder structure C:\Winnt\System32\LogFiles.
12. Restarts the service, "World Wide Web Publishing Service."
13. Removes all user access to the folders created by the worm.

Additional information

• If the worm is restarted for the eleventh time, it attempts to execute a Denial of Service (DoS) on specified Web sites.
• If the date is greater than or equal to November 10, 2002, 12:00:00, and less than or equal to November 10, 2002, 12:01:40, the worm attempts a DoS attack on a Web site specified in its configuration files.
• The worm can scan for the IP addresses of other vulnerable hosts and can create a configuration file to be used for port scan attacks.
• Upon joining an IRC channel, the worm provides detailed system information from the infected computer. Then, a hacker can access the worm, if it is configured to allow this.
• When the worm is disconnected from the server, it will try to connect to a new IRC server.
• If you are able to access the worm after it runs on your computer, and you input commands, the worm creates the batch file, D.bat. The D.bat file contains a line that directs it to delete the worm's folder, execute the D.bat file, and then exit.
• Upon receiving a text command on any of the channels that the worm has joined, the worm performs various actions, such as:
  • Querying your computer for system information
  • Sending packets to be used in a DoS attack
  • Reconfiguring access to the worm
  • Reporting the statistics
  • Exploiting the previously described Unicode directory traversal vulnerability on a remote system
    
    NOTE: To use these commands, the remote attacker must first log on to the worm using a password.
    
• W32.Tkbot.Worm can scan for the IP addresses of other vulnerable hosts and create a configuration file for port scanning attacks.
• W32.Tkbot.Worm can send encrypted FTP traffic between an attacker's system and the infected system. The FTP server, which is part of this exploit, listens on port 65,130 and port 43,958.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
• Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
• For further information on the terms used in this document, please refer to the Security Response glossary.

Summary