|
execution.
windnsd.exe WINDNSD.EXE-356BCE04.pf
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Spybot.Worm
File: C:\WINDOWS\system32\windnsd.exe
Location: C:\WINDOWS\system32
Computer: GWR
User: a
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wednesday, March 01, 2006 10:56:11 AM
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Spybot.Worm
File: C:\WINDOWS\system32\windnsd.exe
Location: C:\WINDOWS\system32
Computer: GWR
User: a
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wednesday, March 01, 2006 11:00:04 AM
WORM_WOOTBOT.AS
Size of malware: 90,112 Bytes
Initial samples received on: Oct 6, 2004
--------------------------------------------------------------------------------
Payload 1: Compromises system security
Trigger condition 1: Upon execution
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Details:
Installation and Autostart
Upon execution, this memory-resident worm drops a copy of itself as WINDNSD.EXE in the Windows system folder. It eventually deletes itself
after the said execution.
It creates the following autostart entries to ensure its automatic execution at every system startup:
HKEY_USERS\.DEFAULT\Software\Microsoft\
Windows\CurrentVersion\Run
Windows DNS Daemon = "windnsd.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows DNS Daemon = "windnsd.exe"
HKEY_USERS\.DEFAULT\Software\Microsoft\
Windows\CurrentVersion\RunOnce
Windows DNS Daemon = "windnsd.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
Windows DNS Daemon = "windnsd.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce
Windows DNS Daemon = "windnsd.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Windows DNS Daemon = "windnsd.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Windows DNS Daemon = "windnsd.exe"
It also registers itself as a service by creating the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wdnsd
Network Propagation and Exploits
This worm spreads via network shares. It uses NetBEUI functions to get available lists of user names and passwords. It then searches for the
IPC$ shared folder, where it drops a copy of itself by using gathered information.
It may also take advantage of the following Windows vulnerabilities to propagate:
Buffer Overflow in SQL Server 2000, which is a vulnerability that allows a low-level user to run, delete, insert or update Web tasks. In
turn, an attacker who is able to authenticate to a SQL server may do the same actions, and run already created Web tasks in the context of
the creator of that task. More information on this vulnerability is found in Microsoft Security Bulletin MS02-061.
The RPC/DCOM vulnerability, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed
packet to the DCOM service. It uses the RPC TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin
MS03-026.
The IIS/WebDAV exploit, which enables arbitrary codes to execute on the WebDAV server by also sending a malformed request packet. This
exploit is a service related to the HTTP on port 80. More information about this vulnerability is found in Microsoft Security Bulletin
MS03-007.
The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full
control of the affected system. This vulnerability is discussed in detail in Microsoft Bulletin MS04-011 and Trend Micro's Vulnerability
Description for MS04-011.
Furthermore, it makes the affected system become a TFTP server to facilitate sending of this worm to other systems as BLING.EXE.
Backdoor Capabilities
This worm has backdoor capabilities. It attempts to connect to the Internet Relay Chat (IRC) server irc.t3musso.net, which allows a remote
user to access affected systems.
The said routine allows the malicious user to perform the following actions:
Update malware from HTTP and FTP URL
Execute a file
Download from HTTP and FTP URL
Open a command shell
Open files
Display the driver list
Get screen capture
Capture pictures and video clips
Display network information such as the following:
connection type
local IP address
Make the bot join a channel
Stop and start a thread
List all running process
Rename a file
Generate a random nickname
Perform different kinds of ddos attacks
Retrieve and clear log files
Terminate the bot
Disconnect the bot from IRC
Send a message to the IRC server
Let the bot perform mode change
Change bot ID
Log on and off the user
Issue ping attack on to a target computer
Display system information such as the following:
Amount of memory
CPU speed
Malware uptime
User name
Windows platform, build version and product ID
Log keystrokes
Create several threads for packet sniffing
Denial of Service
This worm performs a denial of service (DoS) attack through the following flood attacks on random IP addresses:
ICMP
HTTP
SYN
UDP
Information Theft
This worm steals the CD keys of the following games:
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Chrome
Command and Conquer: Generals
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike (Retail)
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden & Dangerous 2
IGI 2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Legends of Might and Magic
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Microsoft Windows Product ID
Nascar Racing 2002
Nascar Racing 2003
Need For Speed Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights (Hordes of the Underdark)
Neverwinter Nights (Shadows of Undrentide)
NHL 2002
NHL 2003
Rainbow Six III RavenShield
Shogun: Total War: Warlord Edition
Soldier of Fortune II - Double Helix
Soldiers Of Anarchy
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_USERS>.DEFAULT>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Windows DNS Daemon = "windnsd.exe"
In the left panel, double-click the following:
HKEY_USERS>.DEFAULT>Software>Microsoft>
Windows>CurrentVersion>RunOnce
In the right panel, locate and delete the entry:
Windows DNS Daemon = "windnsd.exe"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Windows DNS Daemon = "windnsd.exe"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>RunOnce
In the right panel, locate and delete the entry:
Windows DNS Daemon = "windnsd.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Windows DNS Daemon = "windnsd.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry:
Windows DNS Daemon = "windnsd.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunOnce
In the right panel, locate and delete the entry:
Windows DNS Daemon = "windnsd.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>System>CurrentControlSet>Services
Still in the left panel, locate and delete the following:
wdnsd
Close Registry Editor.
--------------------------------------------------------------------------------
NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure sets.
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as WORM_WOOTBOT.AS. To do this, Trend Micro customers must download
the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.
Applying Patches
This malware exploits known vulnerabilities affecting the Windows NT platforms. Refer to the following Microsoft pages to download and
install the the needed files to patch your system.
Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS02-061
Microsoft Security Bulletin MS03-007
Microsoft Security Bulletin MS04-011
Refrain from using the affected software until the appropriate patch has been installed.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile
device or home PC.
For additional information about this threat, see:
Overview
Technical Details
Statistics
Search a new malware
Printer Friendly Page
Tell us how we did. Take our quick survey.
|