PDA

View Full Version : **Blaster worm clone is back**


caleb_yee
28-08-03, 17:24
W32.HLLW.Raleka is a worm that, like W32.Blaster.Worm, exploits the Microsoft DCOM RPC vulnerability, as described in Microsoft Security Bulletin MS03-026.

When executed, this worm will attempt to download files from a predefined location, and connect to an IRC server.

The worm is 14 Kb in size, and it is packed using the runtime compression utility UPX. Unpacked, the size of the worm is close to 100 Kb

When W32.HLLW.Raleka is executed, it will perform the following actions:

Attempt to download NTrootkit.exe and NTRootkit.reg from a predefined location. If successful, it will execute NTrootkit.exe.

NOTE: Symantec products using the latest virus definitions will detect the NTrootkit.exe file as Hacktool.

Launches individual threads, each of which attempt to connect to one of the following IRC servers on port 6667:

irc.servercentral.net
irc.secsup.org
irc.nac.net
irc.mpls.ca
irc.mindspring.com
irc.limelight
us.irc.isprime.com
irc.isdnet.fr
irc.ipv6.homelien.no
irc.inter.net.il
irc.inet.tele.dk
irc.homelien.no
irc.prison.net
irc.desync.com
irc.daxnet.no
irc.csbnet.se
irc.aol.com
irc.blessed.net
irc.banetele.no
irc.red-latina.org
irc.Ultra-IRC.net
irc.ircsoulz.net

NOTE: The worm may also retrieve additional IRC servers from client.hopto.org.

If the worm successfully connects to one of the servers, it will join a predefined chat channel. The nickname used to connect to the chat channel will be the first four characters of the computer name, followed by random numbers.

Submits the IP address of the infected system to the chat channel.

May also receive various commands from the chat channel.

Launches 200 infection threads that attempt to infect other computers, using the Microsoft DCOM RPC vulnerability in one of two ways:

The first 100 threads will attack IP addresses similar to the IP address of the infected computer. The worm will keep the first two octets of the IP address on the system, and randomize the last two octets.

For example, if the IP address of the system is 192.168.0.1, these 100 threads of the worm will attempt to infect IP addresses beginning with 192.168.x.x.

The remaining 100 threads will randomize the first three octets of the IP address, and then try all values between 0 and 255 for the last octet.

For example, if the random value for the first three octets is 192.168.0.x, the worm will attempt to infect IP addresses 192.168.0.0 - 192.168.0.255. Once the worm has attempted to infect all computers in this range, it will again randomize the first three octets and try the new range.

If the worm successfully infects a system, it will open a remote shell on port 36286.

Copies files to the newly infected system, using this remote shell, and executes them.

Attempts to overwrite Svchost.exe with a viral file. If the worm is unable to overwrite the original Svchost.exe, it will try to copy it to several different location on the system.

Creates two logfiles, named Rpcss.ini and Svchost.ini and logs all IP addresses it attempts to infect. These files are used by the worm so that it doesn't attempt to infect the same IP range more than once.

Transfers viral files between infected systems using encrypted code that, using its own decrypter, will be written out to a file called down.com.

NOTE: The worm launches over 205 threads, out of which 200 threads will attempt to contact remote systems. This may cause the system to become unstable.Dangerous..

No jokes..

U badly need the microsoft hot fix
1.Disable System Restore (Windows Me/XP).
2.Update the virus definitions.
3/Run a full system scan and delete all the files detected as W32.HLLW.Raleka.
4.Obtain the Microsoft HotFix to correct the DCOM RPC vulnerability.

Well,another clone is out and it's real...nasty this time...please..read