W32/Nachi.H!worm
Analysis
Specifics
This virus is 32-bit with a packed file size of 12,800 bytes, and is a minor variant of W32/Nachi.F-net. This
virus has capabilities of compromising systems which
contain an RPC DCOM buffer overflow vulnerability or
a WebDAV vulnerability. The virus attempts to download
associated patches to that system to prevent a future
compromise in a similar manner
Loading At Windows Startup
If virus is run, it will create a Mutex named "WksPatch_Mutex"
and run as a process in memory. The virus will copy
itself to the local system into the drivers folder as
"svchost.exe" and set a registry entry to
load the virus as a service at each Windows startup
-
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch\
"Description" = Coordinates transactions that
are distributed across two or more databases, message
queues, file systems, or other transaction protected
resource managers.
"DisplayName" = Network Logging Messaging
"ErrorControl" = 00, 00, 00, 00
"ImagePath" = C:\WINNT\System32\drivers\svchost.exe
"ObjectName" = LocalSystem
"Start" = 02, 00, 00, 00
"Type" = 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch\Security\
"Security" = [hex values]
The registry key created above named "DisplayName"
has variable data depending on a randomizing routine
to construct text from a table of names hard-coded and
selected by the virus
RPC Infection Method
The virus may attempt to seek other machines on a network
and attempt to penetrate them using a known RPC DCOM
buffer overflow exploit - the virus could also use a
known RPC Locator exploit. If the virus can gain access
to the system, it could copy itself to that system and
execute that copy on the target host
The transfer occurs via a random TCP port - the virus
acts as an HTTP web server and instructs the target
system to download the virus using a URL to the infectious
binary, in this format -
http://undefineds:undefinedd/WksPatch.exe
Where undefineds is the IP address of the infected system, and undefinedd is the port used by the virus to host itself
System Patching Payload
If the virus is in running, it assumes the host requires
an RPC patch from Microsoft and proceeds to download
it from a hard-coded URL. Before downloading, the virus
checks the Internet connection by testing if it can
reach any of the sites 'google.com', 'intel.com' or
'microsoft.com'. Next, the virus attempts to retrieve
one of these packages from one of six Microsoft download
web servers.
WindowsXP-KB828035-x86-CHS.exe
WindowsXP-KB828035-x86-KOR.exe
WindowsXP-KB828035-x86-ENU.exe
Windows2000-KB828749-x86-CHS.exe
Windows2000-KB828749-x86-KOR.exe
Windows2000-KB828749-x86-ENU.exe
The virus instructs the downloaded application to run
silently and to not reboot; this is to not alert the
user of the behind the scenes installation - the downloaded
installation is a patch against RPC DCOM buffer overflow
and RPC Locator exploits, and is related to MS Knowledgebase
articles KB828035 and KB828749
W32/Mydoom Removal Payload
The virus will also seek four files associated with
Mydoom.A and Mydoom.B virus and delete them, and if
the related keys in the registry exist, the virus will
try to remove those also -
ctfmon.dll
Explorer.exe
shimgapi.dll
TaskMon.exe
The virus overwrites the existing HOSTS file with a
single entry -
127.0.0.1 localhost
Web File Overwrite Payload
The virus may search for files with the extensions .shtml,
.shtm, .stm, .cgi, .php, .html, .htm or .asp and overwrite
the contents with simple HTML code. The code makes reference
to dates related to World Wars I and II -
LET HISTORY
TELL FUTURE !
1931.9.18
1937.7.7
1937.12.13 300,000 !
1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso
1945.8.15
Let history tell future !
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, block external to internal access using TCP ports 445
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |