SV: More info on DarkMachine

From: Peter Kruse (peter.kruse@it.dk)
Date: 10/17/01


From: "Peter Kruse" <peter.kruse@it.dk>
To: "Markus De Shon" <mdeshon@secureworks.net>, <incidents@securityfocus.com>
Subject: SV: More info on DarkMachine
Date: Wed, 17 Oct 2001 23:52:40 +0200
Message-ID: <HHEJKDFPCOJENDFCKJFJEEAKCAAA.peter.kruse@it.dk>

Hi,

It appears that McAfee has already posted an analysis of this virus at their
website. The analysis can be found at this url:
http://vil.mcafee.com/dispVirus.asp?virus_k=99225&

They have apparently entitled the virus/worm "W32/Ucon@MM" and has rated it
a low risk.

Kind regards
Peter Kruse
Security- and virusanalyst
Telia Telecom

-----Oprindelig meddelelse-----
Fra: Markus De Shon [mailto:mdeshon@secureworks.net]
Sendt: 17. oktober 2001 19:36
Til: incidents@securityfocus.com
Emne: More info on DarkMachine

We have executed the attachment in a controlled environment with Regmon
and Filemon running to track Registry and File accesses.

Regmon shows that the worm changed two registry keys:

739 59.36779760 Userconf SetValueEx
HKLM\Software\Description\Microsoft\Rpc\UuidPersistentData\ClockSequence
SUCCESS 0xA2E

740 59.36783360 Userconf SetValueEx
HKLM\Software\Description\Microsoft\Rpc\UuidPersistentData\LastTimeAllocated
SUCCESS 40 D3 9C 15 EB C

These don't appear to be hostile behavior--these keys seem to be changed
by other programs as well.

It did access, but apparently did not attempt to write to, WIN.INI.

It created a temporary binary file at C:\WINDOWS\TEMP\~DFE855.TMP (this
was a Win98 machine), which we're still looking at to see what it's
function is. It is not a copy of the worm, as it is significantly
smaller. It contains the following text strings:

R\0o\0o\0t\0 \0E\0n\0t\0r\0y
rn1org

It creates the following files:

411 0.00014800 Userconf Write C:\COMMON.EXE SUCCESS
Offset: 0 Length: 10240

428 0.00018800 Userconf Write C:\REDE.EXE SUCCESS
Offset: 0 Length: 10240

445 0.00018960 Userconf Write C:\SI.EXE SUCCESS
Offset: 0 Length: 10240

462 0.00018480 Userconf Write C:\USERCONF.EXE SUCCESS
Offset: 0 Length: 10240

479 0.00018320 Userconf Write C:\DISK.EXE SUCCESS
Offset: 0 Length: 10240

The files other than DISK.EXE are already known to be possible names of
email attachments. All the files are identical copies of the worm.

The worm then launches Outlook and attempts to send copies of itself out.

I have forwarded copies of the worm to McAfee and CERT for further
analysis. So far, from our analysis, we have only found that the worm
propagates itself. Further analysis will be necessary to determine if
there are any other effects.

   Markus De Shon, Ph.D., GCIA #0227 <mdeshon@secureworks.net>
   Research Manager -- SecureWorks, Inc. -- 404 327-6339x127

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • [Full-Disclosure] RE: Any dissasemblies of the Witty worm yet?
    ... strange similarity with SQL Slammer for the following points: ... 6B636F73h" in this worm. ... Found: offset 000000ef value 5e0d409c in module C:\Program ...
    (Full-Disclosure)
  • Worm in Outlook Express McAfee cant identify
    ... When I open my Outlook Express mail box A McAfee warning ... mail goes to outbox until it is sent to my mail server. ... However "to" address becomes altered by the worm and it ... Response: '554 McAfee VirusScan: WormStopper rejected the ...
    (microsoft.public.security.virus)
  • More info on DarkMachine
    ... We have executed the attachment in a controlled environment with Regmon ... and Filemon running to track Registry and File accesses. ... Regmon shows that the worm changed two registry keys: ... Offset: 0 Length: 10240 ...
    (Incidents)
  • Re: lsass.exe brings machine to its knees.....
    ... Please go to McAfee and/or Trend ... and perform and online scan of your platform and report ... | Stinger and ran it, but it didn't find anything, and the ... |>Sounds the the Lovegate worm or the Mofei worm ...
    (microsoft.public.security.virus)
  • Re: Nachi virus in a WinXP Update?
    ... If you are using WinXP, ... Using McAfee Stinger, perform a Full Scan of your platform and clean/delete any ... Swen Internet worm to visit you. ... So, in short, your naivety will introduce the Swen Internet worm to your school! ...
    (microsoft.public.security.virus)