The worm sends its code as an HTTP request. The HTTP request exploits a known buffer-overflow vulnerability, which allows the worm to run on your computer. The malicious code is not saved as a file, but is inserted into and then run directly from memory.
Once run, the worm checks for the file, C:\Notworm. If this file exists, the worm does not run and the thread goes into an infinite sleep state.
If the C:\Notworm file does not exist, then new threads are created. If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses. To avoid looping back to infect the source computer, the worm will not make HTTP requests to the IP addresses 127.*.*.* .
If the default language of the computer is American English, further threads cause Web pages to appear defaced. First, the thread sleeps for two hours, and then hooks a function, which responds to the HTTP requests. Instead of returning the correct Web page, the worm returns its own HTML code.
The HTML displays:
Welcome to http:// www.worm.com !
Hacked By Chinese!
This hook lasts for 10 hours and is then removed. However, re-infection or other threads can rehook the function.
Two versions of this worm have been in the wild. The second version does not cause the Web pages to be defaced.
Also, if the date is between the 20th and 28th of the month, the active threads then attempt a Denial of Service (DoS) attack on a particular IP address, by sending large amounts of junk data to port 80 (Web service) of 220.127.116.11, which was www.whitehouse.gov. This IP address has been changed and is no longer active.
Finally, if the date is later than the 28th of the month, the worm's threads are not run, but are directed into an infinite sleep state. This multiple-thread creation can cause computer instability.
- If you are running Microsoft FrontPage or a similar program used to design Web pages, IIS may be installed on your computer.
- For additional information, including the string that is added to the IIS log files, go to the CERT Coordination Center page at:
- Hewlett-Packard Jet Direct cards listening on port 80 may also suffer a DoS.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":