Worm - Win32 – Surubat
1. Summary:
Suburat is a 48kB long worm that spreads through email messages and mapped network drives. It includes an IRC backdoor that waits for commands from the outside.
2. Detailed description:
After it's execution, the worm copies itself into following locations:
%PROGRAMFILES%\MICROSOFT OFFICE\OFFICE\MSOHEV.EXE
%WINDOWS%\DATABASE.TXT
%WINDOWS%\documents.exe
%WINDOWS%\mmsgs\systema.exe
%WINDOWS%\safemode.exe
%WINDOWS%\taskmanager.exe
%WINDOWS%\Restore\scvhost.exe
%WINDOWS%\Restore\systems.exe
%WINDOWS%\Restore\winamps.exe
%WINDOWS%\Restore\winzip.exe
afterwards it renames the file „MSVBVM60.DLL“ to „_MSVBVM60.DLL“.
It modifies following keys in the registry:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Update" = "C:\%WINDOWS%\Restore\systems.exe"
[HKLM\SYSTEM\CurrentControlSet\Services\srservice]
"ImagePath" = "%Windir%\Restore\scvhost.exe"
In order to prevent the detection of sending emails by the user it also modifies this key:
[HKCU\Identities\[uniq id of currently logged in user]\Software\Microsoft\Outlook Express\5.0\Mail]
"Warn on Mapi Send" = "0"
Suburat tries to copy it's body into these network shares:
$ADMIN
$IPC
$PRINTER
Afterwards it installs the IRC backdoor that connects to the „irc.librenet.net“, port 6667 (IRC server).
It connects a private channel and waits for commands from the author.
It is capable of downloading, uploading and executing files . Moreover it allows the author to run any „command prompt“ commands.
3. Infection by email:
Suburat searches for new email addresses in the registry keys:
[HKCU\Software\Microsoft\Internet Account Manager\Accounts]
[HKCU\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
The sent email has allways the sender's address(From:) set to „Administrator“.
The email also has a constant receiver's address (To:) „System Administrator“.
The subject of the email is usually: „System Administrator, This is out report of naked isue“.
The body of the email looks like:
Please read attachment bellow, and please reply to me..!!!
hope we dont have miss understanding
thanks...!!!
The email includes an attachment named „Peta_Instalasi_Nuklir_Israel.zip“. This is the body of the worm.
4. Cleaning:
- Reboot the PC into the safe mode.
- Kill the process„systems.exe“ if it runs.
- Erase the following files if they exist:
%PROGRAMFILES%\MICROSOFT OFFICE\OFFICE\MSOHEV.EXE
%WINDOWS%\DATABASE.TXT
%WINDOWS%\documents.exe
%WINDOWS%\mmsgs\systema.exe
%WINDOWS%\safemode.exe
%WINDOWS%\taskmanager.exe
%WINDOWS%\Restore\scvhost.exe
%WINDOWS%\Restore\systems.exe
%WINDOWS%\Restore\winamps.exe
%WINDOWS%\Restore\winzip.exe
- In the %SYSTEM% directory rename the file „_MSVBVM60.DLL“ back to the default name „MSVBVM60.DLL“.
- Delete following registry keys:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Update" = "%Windir%\Restore\systems.exe"
[HKLM\SYSTEM\CurrentControlSet\Services\srservice]
"ImagePath" = "%Windir%\Restore\scvhost.exe"
- Modify these keys to their original value:
[HKCU\Identities\[ uniq id of currently logged in user ]\Software\Microsoft \Outlook Express\5.0\Mail]
"Warn on Mapi Send" = "0"
to
"Warn on Mapi Send" = "1"
- Reboot back into the normal mode.
0 writebacks [09/30/2007 22:00]
[]
permanent link
|
