Sorry your browser is not supported!

Quote: "
W32.DB_KEL.kir.worm
Category 3
Discovered on: March 31, 2005
Last Updated on: April 01, 2005 04:06:40 PM

W32.DB_KEL.kir.worm is a worm that spreads through security defects inside of lower-end development tools. It infiltrates Binary hooks on the main Windows command set, enabling it to infect any compiled EXE/OCX/DLL file. This infection also drops a variant of W32.Spybot.Worm.

Type: Worm
Infection Length: 151,013 bytes

Systems Affected:
Windows 2000,
Windows 95,
Windows 98,
Windows Me,
Windows NT,
Windows Server 2003,
Windows XP

Affected compilation tools:

'BlitzBasic'
'Torque'
'A5/a6 gamestudio'
'DJGCCP'
'DevC++'
'DarkBasic'
'Dark Basic Professional'
'QBasic'



Wild

* Number of infections: 0 - 649
* Number of sites: 0 - 251
* Geographical distribution: High
* Threat containment: Difficult
* Removal: Moderate




Damage:
High


Distribution:
High

Damage

* Payload Trigger: n/a
* Payload: Attempts to drop and execute a variant of W32.Spybot.Worm.
o Infects Windows Binary and compiled executables
o Deletes files: n/a
o Modifies files: n/a
o Degrades performance: n/a
o Causes system instability: n/a
o Releases confidential info: n/a
o Compromises security settings: n/a

Distribution

* Subject of email: n/a
* Name of attachment: n/a
* Size of attachment: n/a
* Time stamp of attachment: n/a
* Ports: n/a
* Shared drives: n/a
* Target of infection: Attempts to spread via Compiled binaries

technical details

When W32.DB_KEL.kir.worm is executed, it performs the following actions:

1. Adds the following link to all compiled programs on the compromised computer:

[domain removed]/bigjump.com



2. Drops the following files:

* %ProgramFiles%MSSsex.exe
* %ProgramFiles%MSSown.exe

Note:
o %ProgramFiles% is a variable that refers to the program files folder. By default, this is Crogram Files.
o sex.exe - a worm component that sends the above mentioned link to all the MSN Messenger contacts on the compromised computer.
o own.exe - a variant of W32.Spybot.Worm


4. Adds the value:

"Microsoft System Services" = "msnmgsr.exe"

to the registry subkeys:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

so that W32.DB_KEL.kir.worm runs every time Windows starts.

5. Modifies the value:

"N"

to the registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftOleEnableDCOM

6. Modifies the value:

"0x1"

to the registry key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetLsarestrictanonymous

7. Attempts to spread itself by exploiting the following vulnerabilities:

* The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135, 445, 1025.
* The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011) using ports 139, 445.
* The Workstation Service Buffer Overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.

8. Attempts to enumerate users in order to copy itself to network shares.

9. Can perform any of the following actions:

* Open a back door on the compromised computer allowing a remote attacker to have unauthorized access
* Steal CD activation keys for many games
* Attempt to end processes and services
* Install keylogger
* Use the compromised computer as a traffic relay or proxy
* Perform flooding

"