1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. SMB Critical File Tamper Activity

SMB Critical File Tamper Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects attempts to tamper with critical files over network shares. This type of activity is typically associated with worms like W32.Sality.AE and W32.Blackmal.E@mm.

Additional Information

When W32.Blackmal.E@mm is executed, it performs the following actions:

1. Copies itself as one of the following files:

* %Windir%\Rundll16.exe
* %System%\WINZIP_TMP.EXE
* %System%\SAMPLE.ZIP
* %System%\New WinZip File.exe
* movies.exe
* Zipped Files.exe

Note:
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Copies itself as one of the following files:

* %System%\scanregw.exe
* %System%\Winzip.exe
* %System%\Update.exe

Note: The worm monitors the above files and will recreate them if they are deleted.

3. Creates an empty .zip file using the same file name as the worm itself in the %System% folder. It then opens this file in order to hide its functionality.

4. Drops the file %System%\MSWINSCK.OCX which is a clean Microsoft control used for network connectivity.

5. Adds the value:

"ScanRegistry" = "scanregw.exe /scan"

to the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

Note: The worm monitors the above registry entry and recreates it if it is deleted.

6. Modifies the values:

"WebView" = "0"
"ShowSuperHidden" = "0"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced

Note: The worm monitors the above registry entries and recreates them if they are deleted.

7. Modifies the value:

"FullPath" = "1"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\CabinetState

Note: The worm monitors the above registry entry and recreates it if it is deleted.

8. Adds the values:

"5f54e750-ce26-11cf-8e43-00a0c911005a" = "mnlnnimimnoiuilnvjkinnkitjwjnimntntm"
"F4FC596D-DFFE-11CF-9551-00AA00A3DC45" = "mbmabptebkjcdlgtjmskjwtsdhjbmkmwtrak"
"190B7910-992A-11cf-8AFA-00AA00C00905" = "gclclcejjcmjdcccoikjlcecoioijjcjnhng"
"72E67120-5959-11cf-91F6-C2863C385E30" = "ibcbbbebqbdbciebmcobmbhifcmciibblgmf"
"096EFC40-6ABF-11cf-850C-08002B30345D" = "knsgigmnmngnmnigthmgpninrmumhgkgrlrk"
"556C75F1-EFBC-11CF-B9F3-00A0247033C4" = "xybiedobrqsprbijaegcbislrsiucfjdhisl"
"4D553650-6ABE-11cf-8ADB-00AA00C00905" = "gfjmrfkfifkmkfffrlmmgmhmnlulkmfmqkqj"
"57CBF9E0-6AA7-11cf-8ADB-00AA00C00905" = "aahakhchghkhfhaamghhbhbhkbpgfhahlfle"
"9E799BF1-8817-11cf-958F-0020AFC28C3B" = "uqpqnqkjujkjjjjqwktjrjkjtkupsjnjtoun"
"78E1BDD1-9941-11cf-9756-00AA00C00908" = "yjrjvqkjlqqjnqkjvprqsjnjvkuknjpjtoun"
"DC4D7920-6AC8-11cf-8ADB-00AA00C00905" = "iokouhloohrojhhhtnooiokomiwnmohosmsl"
"7C35CA30-D112-11cf-8E72-00A0C90F26F8" = "whmhmhohmhiorhkouimhihihwiwinhlosmsl"
"2c49f800-c2dd-11cf-9ad6-0080c7e7b78d" = "mlrljgrlhltlngjlthrligklpkrhllglqlrk"
"899B3E80-6AC6-11cf-8ADB-00AA00C00905" = "wjsjjjlqmjpjrjjjvpqqkqmqukypoqjquoun"
"B1EFCCF0-6AC1-11cf-8ADB-00AA00C00905" = "qqkjvqpqmqjjpqjjvpqqkqmqvkypoqjquoun"
"6FB38640-6AC7-11cf-8ADB-00AA00C00905" = "gdjkokgdldikhdddpjkkekgknesjikdkoioh"
"E32E2733-1BC5-11d0-B8C3-00A0C90DCA10" = "kmhfimlflmmfpffmsgfmhmimngtghmoflhsg"
"4250E830-6AC2-11cf-8ADB-00AA00C00905" = "kjljvjjjoquqmjjjvpqqkqmqykypoqjquoun"
"BC96F860-9928-11cf-8AFA-00AA00C00905" = "mmimfflflmqmlfffrlnmofhfkgrlmmfmqkqj"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses

which enables the %System%\MSWINSCK.OCX file to function.

9. May modify values in the following registry subkeys:

HKEY_CURRENT_USER\Control Panel\BMale
HKEY_CURRENT_USER\Control Panel\DNS

10. Disables the mouse and keyboard functionality the first time the worm is executed on the compromised computer.

11. Displays the following icon in the Windows Task Bar when it detects the presence of antivirus software:



Note: The text "Update Please wait" is displayed when a user hovers over the icon.

12. Monitors the titles of active windows. If the user is browsing with Windows Explorer, the window title is the path to the current folder. The worm uses this information to search the current folder for the file desktop.ini. If this file exists the worm copies itself to the current folder as WinZip_Tmp.exe and creates the file temp.htt.

13. Deletes the following files:

* %ProgramFiles%\DAP\*.dll
* %ProgramFiles%\BearShare\*.dll
* %ProgramFiles%\Symantec\LiveUpdate\*.*
* %ProgramFiles%\Symantec\Common Files\Symantec Shared\*.*
* %ProgramFiles%\Norton AntiVirus\*.exe
* %ProgramFiles%\Alwil Software\Avast4\*.exe
* %ProgramFiles%\McAfee.com\VSO\*.exe
* %ProgramFiles%\McAfee.com\Agent\*.*
* %ProgramFiles%\McAfee.com\shared\*.*
* %ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe
* %ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe
* %ProgramFiles%\Trend Micro\Internet Security\*.exe
* %ProgramFiles%\NavNT\*.exe
* %ProgramFiles%\Morpheus\*.dll
* %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
* %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
* %ProgramFiles%\Grisoft\AVG7\*.dll
* %ProgramFiles%\TREND MICRO\OfficeScan\*.dll
* %ProgramFiles%\Trend Micro\OfficeScan Client\*.exe
* %ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

14. Queries the following values:

"Home Directory"
"NAV"
"Folder"
"InstallLocation"

under the following registry subkeys:

HKEY_LOCAL_MACHINE\Software\INTEL\LANDesk\VirusProtect6\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\Panda Antivirus 6.0 Platinum

and deletes all .exe files found in the folders it locates.

15. Queries the value:

"Folder"

in the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal

and deletes all files found in the folder it locates.

16. Queries the value:

"Path"

in the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Iface.exe

and deletes all *.exe and *.ppl files in the folder it locates.

17. Closes windows whose title contains any of the following strings:

* SYMANTEC
* SCAN
* KASPERSKY
* VIRUS
* MCAFEE
* TREND MICRO
* NORTON
* REMOVAL
* FIX

18. Deletes the values:

PCCIOMON.exe
pccguide.exe
Pop3trap.exe
PccPfw
Tmproxy
McAfeeVirusScanService
NAVAgent
PCCClient.exe
SSDPSRV
rtvscn95
defwatch
vptray
ScanInicio
APVXDWIN
KAVPersonal50
kaspersky
TMOutbreakAgent
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
AVG7_CC
AVG7_EMC
VetAlert
VetTray
OfficeScanNTMonitor
avast!
DownloadAccelerator
BearShare

from the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices

19. Gathers email addresses from files with the following extensions:

.htm
.dbx
.eml
.msg
.oft
.nws
.vcf
.mbx
.imh
.txt
.msf

The worm also gathers email addresses from files with one of the following strings in the full name :

* CONTENT.
* TEMPORARY

20. Attempts to send itself as an email to the addresses it gathers using its own SMTP engine. The email will have the following characteristics:

Subject:
One of the following:

* *Hot Movie*
* A Great Video
* Fw:
* Fw: DSC-00465.jpg
* Fw: Funny :)
* Fw: Picturs
* Fw: Real show
* Fw: SeX.mpg
* Fw: Sexy
* Fwd: Crazy illegal Sex!
* Fwd: image.jpg
* Fwd: Photo
* give me a kiss
* Miss Lebanon 2006
* My photos
* Part 1 of 6 Video clipe
* Photos
* Re:
* School girl fantasies gone bad

Message body:
One of the following:

* Note: forwarded message attached. You Must View This Videoclip!
* forwarded message
* Re: Sex Video
* i just any one see my photos.
* It's Free :)
* The Best Videoclip Ever
* Hot XXX Yahoo Groups
* Fuckin Kama Sutra pics
* ready to be FUCKED ;)
* forwarded message attached.
* VIDEOS! FREE! (US$ 0,00)
* What?
* i send the file.
* Helloi attached the details.
* Thank you
* the file i send the details
* hello,
* Please see the file.
* how are you?
* i send the details.

Attachment:
One of the following:

* 007.pif
* 392315089702606E-02,.scR
* 677.pif
* Adults_9,zip.sCR
* Arab sex DSC-00465.jpg
* ATT01.zip.sCR
* Attachments[001],B64.sCr
* Clipe,zip.sCr
* document.pif
* DSC-00465.Pif
* DSC-00465.pIf
* eBook.pdf
* eBook.PIF
* image04.pif
* New Video,zip
* New_Document_file.pif
* photo.pif
* Photos,zip.sCR
* School.pif
* SeX,zip.scR
* Sex.mim
* Video_part.mim
* WinZip,zip.scR
* WinZip.BHX
* WinZip.zip.sCR
* Word XP.zip.sCR
* Word.zip.sCR
* 04.pif
* DSC-00465.Pif
* DSC-00465.pIf
* image04.pif

The attachment may be an executable file or a MIME file that contains an executable file. Those attachments that are MIME files may have the following file names:

* 3.92315089702606E02.UUE
* Attachments[001].B64
* Attachments00.HQX
* Attachments001.BHX
* eBook.Uu
* Original Message.B64
* Sex.mim
* SeX.mim
* Video_part.mim
* WinZip.BHX
* Word_Document.hqx
* Word_Document.uu

These files may also have one the following file names:

* 392315089702606E-02
* Clipe
* Miss
* Photos
* Sweet_09

These file names will be combined with one of the following extensions:

* .b64
* .BHx
* .HQX
* .mim
* .uu
* .UUE
* .XxE

If the attachment is a MIME file, it may contain a file with one of the following file names:

* 392315089702606E-02,UUE[BLANK SPACES].scr
* Adults_9,zip[BLANK SPACES].scr
* ATT01.zip[BLANK SPACES].scr
* Atta[001],zip[BLANK SPACES].scr
* Attachments,zip[BLANK SPACES].scr
* Attachments[001],B64[BLANK SPACES].scr
* Clipe,zip[BLANK SPACES].scr
* New Video,zip[BLANK SPACES].scr
* Photos,zip[BLANK SPACES].scr
* SeX,zip[BLANK SPACES].scr
* WinZip,zip[BLANK SPACES].scr
* WinZip.zip[BLANK SPACES].scr
* Word XP.zip[BLANK SPACES].scr
* Word.zip[BLANK SPACES].scr

The attachment may use the following icon:



21. Searches the network for the following shared folders, where it copies itself as WINZIP_TMP.EXE:

* ADMIN$
* C$

Note: The worm also copies itself using the same file name to network shares protected by weak passwords.

22. Copies itself to network shares as the following:

C$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe

23. Deletes the following file from network shares:

C$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

24. Attempts to access the following URL:

[http://]webstats.web.rcn.net/[REMOVED]/Count.cgi?df=765247

25. Enumerates the computers in the same domain as the host computer by using WNetOpenEnum.

26. Executes the command "net use \\[COMPUTER NAME] /user:administrator" to connect to that computer.

Note:
* If the user on the compromised computer is already connected to some other network computer, the worm will be able to use that connection.
* [COMPUTER NAME] is a remote computer name and "" is a blank password.

27. Attempts to delete the following folders on the computer it connects to:

* \C$\Program Files\Norton AntiVirus
* \C$\Program Files\Common Files\symantec shared
* \C$\Program Files\Symantec\LiveUpdate
* \C$\Program Files\McAfee.com\VSO
* \C$\Program Files\McAfee.com\Agent
* \C$\Program Files\McAfee.com\shared
* \C$\Program Files\Trend Micro\PC-cillin 2002
* \C$\Program Files\Trend Micro\PC-cillin 2003
* \C$\Program Files\Trend Micro\Internet Security
* \C$\Program Files\NavNT
* \C$\Program Files\Panda Software\Panda Antivirus Platinum
* \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal
* \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
* \C$\Program Files\Panda Software\Panda Antivirus 6.0
* \C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus

28. Attempts to execute the following command on the compromised computer to execute its copy at the end of the hour:

at [COMPUTER NAME] [HOUR]:59 /interactive \\[COMPUTER NAME]\Admin$\WINZIP_TMP.exe
at [COMPUTER NAME] [HOUR]:59 /interactive \\[COMPUTER NAME]\C$\WINZIP_TMP.exe

Note: [COMPUTER NAME] is a remote computer name and [HOUR] represents the hour when propagation begins.

29. 30 minutes after the worm file UPDATE.EXE is loaded into memory (which could be when a compromised computer is started up or when the worm is executed on a computer), the worm checks if the date is the 3rd of the month. If it is the 3rd of the month the worm will attempt to overwrite files with the following extensions in available drives from A to Z:

* *.doc
* *.xls
* *.mdb
* *.mde
* *.ppt
* *.pps
* *.zip
* *.rar
* *.pdf
* *.psd
* *.dmp

Note:
* The worm will not overwrite files in the first available drive. For example if the first available drive is the C drive, the worm will overwrite files in available drives from D to Z.
* The files are overwritten with the following text:

DATA Error [47 0F 94 93 F4 F5]

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube