Discovered: May 10, 2004
Updated: May 10, 2004 10:32:59 PM
Systems Affected: Windows

W32.HLLW.Donk.Q is a worm that propagates through open network shares. The worm can also function as a backdoor server program.

This variant also attempts to exploit the Microsoft DCOM RPC vulnerability (BID 8205) to propagate.

Discovered: May 10, 2004
Updated: May 10, 2004 10:32:59 PM
Systems Affected: Windows

W32.HLLW.Donk.Q is a worm that also has backdoor properties. This worm attempts to propagate through open network shares and exploit the Microsoft DCOM RPC vulnerability (BID 8205).

When this worm is executed, it creates copies of itself as:
%System%\wnetmgr.exe
%System%\cool.exe

Next, the worm will create the following registry entries so that it will be executed every time a compromised system is booted:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Microsoft System Checkup"="wnetmgr.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\"Microsoft System Checkup"="wnetmgr.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"NT Logging Service"= "syslog32.exe"


Note: The worm never drops the Syslog32.exe file.

The worm generates random IP addresses. Then it sends data to the IP address on TCP port 135 that may exploit the DCOM RPC vulnerability (MCID 8205).

If the worm finds a vulnerable system, it will create a hidden remote shell process that will listen on TCP port 4444. This allows an attacker to issue remote commands on an infected system. It may send itself to the vulnerable system.

The worm will kill the following processes, if the processes are discovered running on the compromised host:

ACKWIN32.EXE
ANTI-TROJAN.EXE
ANTS.EXE
APVXDWIN.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVLTMAIN.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWUPD32.EXE
AVXQUAR.EXE
BLACKD.EXE
BLACKICE.EXE
CCAPP.EXE
CFGWIZ.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CLEANER.EXE
CLEANER3.EXE
DRWEBUPW.EXE
DVP95.EXE
F-AGNT95.EXE
F-PROT.EXE
FINDVIRU.EXE
FP-WIN.EXE
FRW.EXE
IAMAPP.EXEIAMSERV.EXE
IBMASN.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
LOCKDOWN2000.EXE
LUALL.EXE
MCUPDATE.EXE
MOOLIVE.EXE
MPFTRAY.EXE
MSBLAST.EXE
N32SCANW.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVW32.EXE
NAVWNT.EXE
NETLOGIN32.EXE
NISUM.EXE
NUPGRADE.EXE
OUTPOST.EXE
PANDA
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
QCONSOLE.EXE
RAV7
SCAN32.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SPHINX.EXE
TCA.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSMON.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
WRADMIN.EXE
WRCTRL.EXE
WUPDMGR.EXE
ZONEALARM.EXE
_AVP32.EXE
_AVPM.EXE
dllhost.exe
mspatch.exe
penis32.exe
tftpd.exe
winppr32.exe


Then, the worm attempts to spread by copying itself to administrative shares using the following user name and password combinations:

User name:
Administrateur
Administrator
Default
Guest
Root
SST
User
Verwalter
admin
administrator
bot started.
database
home
sql

Password:
007
101
111
1111
123
1234
12345
123456
1234567
12345678
123456789
123abc
123asd
123qwe
2002
2003
54321
557
654321
6969
7777
Admin
Internet
Login
Password
aaa
abc
abc123
abcd
admin123
alpha
asd#321
asdf
computer
enable
god
letmein
login
love
mypass
mypc
oracle
owner
pass
passwd
password
pw123
pwd
qwer
qwerty
root
secret
server
sex
super
sybase
temp
temp123
test
test123
win
xxx
yxcv
zxcv

If successful, the worm will copy itself into the following directories on the remote systems:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\WINDOWS\Start Menu\Programs\Startup
C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
\WINNT\Profiles\All Users\Start Menu\Programs\Startup
\WINDOWS\Start Menu\Programs\Startup
\Documents and Settings\All Users\Start Menu\Programs\Startup

The worm attempts to download and execute a file from one of the following hard-coded URLs:
http://www.hclub.go.ro/sago.exe
http://angeldome.front.ru/sd.exe
http://www.dpitag.3x.ro/aa.exe
http://www.dpitag.dap.ro/t.exe
http://www.cosa.nostra.go.ro/index4.txt


The backdoor provides the following functions:
Floods a specified host
Downloads a file from the author of the worm
Executes a file