[NEWS] A new Mass-Mailing and Backdoor Capable Worm Found in the Wild

From: support@securiteam.com
Date: 02/26/03 

From: support@securiteam.com
To: list@securiteam.com
Date: 26 Feb 2003 22:14:07 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  A new Mass-Mailing and Backdoor Capable Worm Found in the Wild
------------------------------------------------------------------------

SUMMARY

This new worm titled "W32.HLLW.Lovgate.C@mm" (or simply Worm_Lovegate.c)
is a malicious code intended to infect Windows based computers via e-mail.
The worm uses the common auto-reply feature from an infected client to
users who have mailed this client in the past. Those users are goaded into
opening the e-mail with the worm attachment because the bogus messages
arrive as replies to familiar messages.
The worm also sends mail to various accounts in order to alert the hackers
on successful infections.
The title of the e-mail reads: "I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion! ".

DETAILS

How this worm operates:
1.The worm copies files into the %System% directory of the infected
computer.
This directory varies with each version of Windows:
(Assuming local drive for Windows is C:\)
Windows 95/98/Me: C:\Windows\System\
Windows NT/2000: C:\WinNt\System32\
Windows XP: C:\Windows\System32\

Those files might be:
 * Winrpc.exe
 * RPCsrv.exe
 * SYShelp.exe
 * WinRpcsrv.exe
 * WinGate.exe

2.It also adds registry entries such as:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\
Runsyshelp = "%System%\syshelp.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunWinGate
initialize = "%System%\WinGate.exe -remoteshell"

3.for computers that run Windows 95/98/Me it also adds:

run=rpcsrv.exe

to WIN.INI under [Windows].

4.In Windows NT/2000/XP it copies these files to the %System% folder and
then runs them:
 * ily.dll
 * Task.dll
 * Reg.dll
 * 1.dll

The worm creates a service named "Windows Management Extension" by using
the command
"Rundll32.exe Task.dll ondll_server".
Then, it invokes the command "Rundll32.exe ily.dll ondll_install"
and "Rundll32.exe ily.dll ondll_reg" to install and register itself.
It creates this registry entry to load the DLL file during startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Module Call initialize = ?RUNDLL32.EXE reg.dll ondll_reg"

5.modifies
HKEY_CLASSES_ROOT\txtfile\shell\open\command
Default = "winrpc.exe %1"

6.adds these values:
syshelp %system%\syshelp.exe
WinGate initialize %system%\WinGate.exe -remoteshell
Module Call initialize RUNDLL32.EXE reg.dll ondll_reg

to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

7. Copies itself to any network shared folder as a file with names such
as:

 * joke.exe
 * midsong.exe
 * news_doc.exe
 * fun.exe
 * hamster.exe
 * pics.exe
 * PsPGame.exe
 * s3msong.exe
 * humor.exe
 * images.exe
 * billgt.exe
 * card.exe
 * docs.exe
 * searchURL.exe
 * setup.exe
 * tamagotxi.exe

8.
A typical reply mail sent to the infected client:

Subject: Documents
Message Body: Send me your comments
Attachment: Docs.exe

Subject: Roms
Message Body:Test this ROM! IT ROCKS!
Attachment:Roms.exe

Subject: Pr0n!
Message Body: Adult content!!! Use with parental advisory.
Attachment: Sex.exe

Subject: Evaluation copy
Message Body: Test it 30 days for free.
Attachment: Setup.exe

Subject: Help
Message Body: I'm going crazy... please try to find the bug!
Attachment:Source.exe

Subject: Beta
Message Body: Send reply if you want to be official beta tester.
Attachment: _SetupB.exe

Subject: Do not release
Message Body: This is the pack ;)
Attachment: Pack.exe

Subject: Last Update
Message Body: This is the last cumulative update.
Attachment: LUPdate.exe

Subject: The patch
Message Body: I think all will work fine.
Attachment: Patch.exe

Subject: Cracks!
Message Body: Check our list and mail your requests!
Attachment: CrkList.exe --Begin Example---
To: @
From: @
Subject:
-----------------------------------
Message:
-----------------------------------

--End Example----

the worm attempts to send the following email:

--Begin Example---
From: @
To: SMTP:@
Subject: Re:
Message:
'' wrote:
===
>
===

 account auto-reply:

' I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion! '

>

--End Example----

9.
The worm searches the following folders:

&nstb;* .\ (current - worm runs from here)
&nstb;* path\to\Windows\
&nstb;* My Documents
&nstb;* The folder listed in the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders\Personal

It searches for any files with .ht* extensions (HTML files) and then uses
them to find targets by finding mail addresses after a "mailto:" string.

It then mail the recipients:

--Begin Example----

Subject: Documents
Message Body: Send me your comments
Attachment: Docs.exe

Subject: Roms
Message Body:Test this ROM! IT ROCKS!
Attachment:Roms.exe

Subject: Pr0n!
Message Body: Adult content!!! Use with parental advisory.
Attachment: Sex.exe

--End Example---

10.
The worm allows remote users to access the system via port 10168.

11.It mails hackers on the accounts:
&nsbp;* 54love@fescomail.net
&nsbp;* hacker117@163.com
&nsbp;* hello_dll@163.com
The SMTP server 163.com is heavily used by this worm.

12.
On a Windows NT/2000/XP based computer:
It copies itself as %System%\Ssrv.exe.
And creates the registry key:
HKEY_LOCAL_MACHINE\Software\KittyXP.sql\Install

adds to:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
the command:
run rpcsrv.exe

If a process called LSASS.EXE is found on the system the worm will try to
inject itself into it.

13.

The worm might try to connect to other computers via networks as
administrator,
using various passwords:
&nsbp;* 123
&nsbp;* 321
&nsbp;* 123456
&nsbp;* 654321
&nsbp;* guest
&nsbp;* administrator
&nsbp;* admin

And other similar passwords
If it can log in it copies itself as
\attacked.computer.address\admin\system32\stg.exe

And then, it attempts to start the file on the remote computer as the
service
"Microsoft NetWork Services FireWall".

if HKEY_LOCAL_MACHINE\Software\KittyXP.sql\Install is present it drops a
copy of the worm in
%System%\Ssrv.exe.

Recommended solution:
Update your antivirus software and scan your system.

Workaround:
First of all press CTRL+ALT+DEL to reboot (in Windows 95/98/Me) or call
Task Manager (NT/2000/XP).
If you're in Task Manager: Kill any process with a name that matches any
process name on the list above using the End Program/ End Process button.

Cleaning the Registry:
This is extremely dangerous and must be done with extreme care (as it may
cause irreversible damage to the Windows operating system and/or installed
programs).
It is now recommended to backup the registry before doing any changes to
it.
See
<http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617>
this for more details.
First use Start->Run and type "regedit" and ENTER.
Use this tool to find and (carefully) delete all the registry entries
introduced by the worm:
 * Find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
                In the right pane remove:
                        syshelp = "%System%\syshelp.exe"
                              WinGate initialize = "%System%\WinGate.exe -remoteshell"
                              Module Call initialize = "RUNDLL32.EXE reg.dll ondll_reg"
                or similar entries.
 * Find HKEY_CLASS_ROOT\txtfile\shell\open\command
                In the right pane modify:
                        Default to be: %System%\NOTEPAD.EXE %1 if it's not already that.
                (it might be "winrpc.exe %1" for example).
 * Find HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows (if this is on Windows NT/2000/XP)
                Delete the value run in the right pane.
 * Find and delete HKEY_LOCAL_MACHINE\Software\KittyXP.sql
Close the registry editor.

ADDITIONAL INFORMATION

For more information, see:
 <http://www.trendmicro.com/en/security/advisories/win_me_clean.htm>
http://www.trendmicro.com/en/security/advisories/win_me_clean.htm for
complete Win Me/XP removal.
Additional links:
 
<http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lovgate.c@mm.html> Symantec Security Response
 
<http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LOVGATE.C> Trend Micro

For your convenience, free scanners can be found at:
 <http://www.trendmicro.com/download/tsc.asp> Trend Micro System Cleaner
 
<http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lovgate.removal.tool.html> Symantec

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.