W32.HLLW.Anig

Printer Friendly Page

Discovered: January 28, 2004
Updated: January 30, 2004 5:11:43 PM
Systems Affected: Windows

W32.HLLW.Anig is a worm that propagates over network shares. The worm also contains a keylogger and backdoor component.

Discovered: January 28, 2004
Updated: January 30, 2004 5:11:43 PM
Systems Affected: Windows

W32.HLLW.Anig is a worm that propagates over open "ADMIN$" network shares. When the worm is executed it creates the following files:
%System%\NTOSA32.EXE
%System%\NTGINA.DLL

The following registry entry is then created in order to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Osa32" = "NTOSA32.exe"

The following registry entries are then created:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dfcsvc\"DependOnGroup"="0x0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dfcsvc\"DependOnService"="RpcSS"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dfcsvc\"DisplayName"="Distributed File Controller"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dfcsvc\"Error Control"="0x0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dfcsvc\"ImagePath"="NTOSA32.exe /dfcsvc"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dfcsvc\"ObjectName"="LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dfcsvc\"Start"="0x2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dfcsvc\"Type"="0x110"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Ram32Data"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Ram32ID"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Ram32Group"

The keylogging component is then injected into Winlogon.exe via the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"GinaDll"="ntgina.dll"

The keylogging component is also injected into other processes.

Winlogon keylogging routines will begin once the system is restarted. All keystrokes that are logged are recorded in the following file:
%System%\NTKBH32.DLL

The worm will then monitor registry modifications; the state of the registry hook into WINLOGON.EXE will be restored if it is, at any point, removed. The monitoring process checks the registry entry every 10 seconds.

The worm opens TCP port 5190 and listens for commands from the attacker.

Finally the worm enumerates the network resources of remote hosts and attempts to log in to the admin share on a remote machine.

The worm will copy itself to the remote system as follows:
\\<remote machine>\ADMIN$\SYSTEM32\NTOSA32.exe
\\<remote machine>\ADMIN$\SYSTEM32\NTGina.dll