Terror from the grave

Carl cwsiv_2nd at HOTPOP.COM
Tue Jan 11 15:00:22 MST 2005


Arafat is now a comuter virus.

Subject: [virusinfo] Trend Micro Weekly Virus Report - November 19, 2004
Date: Fri, 19 Nov 2004

2. Arafat Worm - WORM_GOLTEN.A (Low Risk)

is a memory-resident network worm. It has no mass-mailing capabilities, but
may have been mass-mailed to specific email addresses instead. The email
message contains two .EMF file attachments: one shows the burial of
Palestinian leader Yasser Arafat and the other contains code that exploits
a Microsoft XP vulnerability. The worm propagates via network shares and
attempts to connect to network shared folders. It uses a list of user names
and passwords to gain access to a machines, to establish a network
connection and execute a copy of itself in the accessed network share. This
worm runs on Windows 2000 and XP, and is currently spreading in-the-wild.


Upon execution, this worm drops the following files in the Windows system
folder:
ALERTER.EXE - main component and installer COMWSOCK.DLL DMSOCK.DLL
IETCOM.DLL SPTRES.DLL SCARDSER.EXE - installs .DLL (Dynamic Link Library)
files that inject this worm into LSASS.EXE and IEXPLORE.EXE

It also adds a registry entry that allows it to automatically execute at
every system startup, and installs the following .DLL files: COMWSCOK.DLL
DMSOCK.DLL IETCOM.DLL SPTRES.DLL

These .DLL files inject this worm into the following processes: LSASS.EXE
EXPLORER.EXE

The .DLL files download other components from a remote location, and are
responsible for the propagation of this worm.

The worm also adds a registry entry that initiates the download of a remote
file, which is saved as DMSTI.EXE.

WORM_GOLTEN.A propagates through network shares and attempts to connect and
execute a copy of itself in the following default network folders: ADMIN$
IPC$

It also installs a service named NETLOG.

This worm uses the following user names and passwords to gain access to
machines connected on the same network:

!@#$
 !@#$%
 !@#$%
 ~!@#
 000000
 00000000
 111
 111111
 11111111
 12
 123
 123!@#
 1234
 1234!@#$
 12345
 12345!@#$%
 123456
 1234567
 12345678
 54321
 654321
 888888
 88888888
 admin
 fan at ing*
 oracle
 pass
 passwd
 password
 root
 secret
 security
 stgzs
 super

The worm may have been mass-mailed to specific email addresses.
The email arrives with the following:

Subject: Latest News about Arafat!!!
 Message body:
 Hello guys!
 Latest news about Arafat!
 Unimaginable!!!!!

The email also contains two .EMF file attachments: ARAFAT_1.EMF is a .JPG
file showing the burial of Palestinian leader Yasser Arafat, and
ARAFAT_2.EMF contains exploit code that uses the Microsoft Windows XP
Metafile Heap Overflow vulnerability. When opened, the file drops this worm
into a system. Read on this vulnerability.

If you would like to scan your computer for WORM_GOLTEN.A or thousands
of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend
Micro's free, online virus scanner at:

WORM_GOLTEN.A is detected and cleaned by Trend Micro pattern file 2.247.03
and above.


*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request at freelists.org?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request at freelists.org?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member



--
 ___ _ _ _ ____ _ _  _
|    | | | [__  | |  |
|___ |_|_| ___] |  \/



More information about the Rushtalk mailing list