W32/Nachi.H!worm

Analysis

Specifics
This virus is 32-bit with a packed file size of 12,800 bytes, and is a minor variant of W32/Nachi.F-net. This virus has capabilities of compromising systems which contain an RPC DCOM buffer overflow vulnerability or a WebDAV vulnerability. The virus attempts to download associated patches to that system to prevent a future compromise in a similar manner

Loading At Windows Startup
If virus is run, it will create a Mutex named "WksPatch_Mutex" and run as a process in memory. The virus will copy itself to the local system into the drivers folder as "svchost.exe" and set a registry entry to load the virus as a service at each Windows startup -

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch\
"Description" = Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers.
"DisplayName" = Network Logging Messaging
"ErrorControl" = 00, 00, 00, 00
"ImagePath" = C:\WINNT\System32\drivers\svchost.exe
"ObjectName" = LocalSystem
"Start" = 02, 00, 00, 00
"Type" = 10, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch\Security\
"Security" = [hex values]
The registry key created above named "DisplayName" has variable data depending on a randomizing routine to construct text from a table of names hard-coded and selected by the virus

RPC Infection Method
The virus may attempt to seek other machines on a network and attempt to penetrate them using a known RPC DCOM buffer overflow exploit - the virus could also use a known RPC Locator exploit. If the virus can gain access to the system, it could copy itself to that system and execute that copy on the target host
The transfer occurs via a random TCP port - the virus acts as an HTTP web server and instructs the target system to download the virus using a URL to the infectious binary, in this format -

http://undefineds:undefinedd/WksPatch.exe

Where undefineds is the IP address of the infected system, and undefinedd is the port used by the virus to host itself

System Patching Payload
If the virus is in running, it assumes the host requires an RPC patch from Microsoft and proceeds to download it from a hard-coded URL. Before downloading, the virus checks the Internet connection by testing if it can reach any of the sites 'google.com', 'intel.com' or 'microsoft.com'. Next, the virus attempts to retrieve one of these packages from one of six Microsoft download web servers.

WindowsXP-KB828035-x86-CHS.exe
WindowsXP-KB828035-x86-KOR.exe
WindowsXP-KB828035-x86-ENU.exe
Windows2000-KB828749-x86-CHS.exe
Windows2000-KB828749-x86-KOR.exe
Windows2000-KB828749-x86-ENU.exe
The virus instructs the downloaded application to run silently and to not reboot; this is to not alert the user of the behind the scenes installation - the downloaded installation is a patch against RPC DCOM buffer overflow and RPC Locator exploits, and is related to MS Knowledgebase articles KB828035 and KB828749

W32/Mydoom Removal Payload
The virus will also seek four files associated with Mydoom.A and Mydoom.B virus and delete them, and if the related keys in the registry exist, the virus will try to remove those also -

ctfmon.dll
Explorer.exe
shimgapi.dll
TaskMon.exe
The virus overwrites the existing HOSTS file with a single entry -

127.0.0.1 localhost

Web File Overwrite Payload
The virus may search for files with the extensions .shtml, .shtm, .stm, .cgi, .php, .html, .htm or .asp and overwrite the contents with simple HTML code. The code makes reference to dates related to World Wars I and II -

LET HISTORY TELL FUTURE !
1931.9.18
1937.7.7
1937.12.13 300,000 !
1941.12.7
1945.8.6 Little boy
1945.8.9 Fatso
1945.8.15
Let history tell future !

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  
• Using the FortiGate manager, block external to internal access using TCP ports 445