Troj/Graybird-A is a backdoor Trojan. When run on a victim's computer, that computer will become vulnerable to unauthorized access attacks. Troj/Graybird-A copies itself to the Windows system folder with the filename spoolsv.exe and sets the following registry entries so that the Trojan is run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SPOOLSV
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SPOOLSV
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SPOOLSV

A 'Run' entry will be added to the file win.ini which will also cause the Trojan to be run when Windows starts up. The Trojan may be distributed in an email with certain characteristics that can be viewed at this Sophos page.

Blaster Variant Also Uses Profanity Against Microsoft

WORM_MSBLAST.C is a variant of WORM_MSBLAST.A and similarly exploits the RPC DCOM Buffer Overflow, a known vulnerability that compromises network security by allowing a remote attacker to gain unauthorized access and execute any code on a target machine. This worm is similar to WORM_MSBLAST.A except for the following:

  • It uses the file name is TEEKIDS.EXE.
  • Its autostart registry entry is "Microsoft Inet Xp".
  • It contains a different set of text strings in its body, stating profanity against Microsoft and antivirus providers.
  • This variant is compressed under FSG while the A variant is UPX-compressed.

    • For a general overview of the MSBLAST family of worms, please refer to the Virus Encyclopedia entry for WORM_MSBLAST.GEN here.

    To find out more about the RPC DCOM Buffer Overflow, please read the corresponding Microsoft Bulletin here .

    Worms Spreading Through Kazaa

    Worm/Urick.D is an Internet worm that spreads through the use of the file sharing program Kazaa. Another variant, Worm/Urick.E, also spreads through the use of Kazaa.

    Variant E arrives as "black_worm.exe".

    If executed, Urick.D copies itself in the following locations:
    C:\msdos.exe
    C:\My Documents\Sex Rated.doc.EXE

    So that it gets run each time a user restart their computer the following registry key gets added:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices @="C:\\MSDOS.EXE"

    Additionally, a registry key also gets added in under to spread through Kazaa. View the key and other information at this Command Central page.

    Week in Review

    This week's report looks at five worms, Blaster, Blaster.B, Blaster.C, RPCSdbot and RPCSdbot.B, which all exploit the same vulnerability in order to spread to as many computers as possible, and at the Trojan HatFiend.10.

    After its appearance on Monday, Blaster rapidly infected thousands of computers and reached the highest position in list of viruses most frequently detected by the free, online scanner, Panda ActiveScan.

    Blaster spreads by attacking IP addresses--generated at random- belonging both to the network of the computer on which it is running, and to class B networks. This worm tries to exploit, in these IP addresses, the 'Buffer Overrun in RPC Interface' vulnerability to download a copy of itself, in a file named MSBLAST.EXE, to the compromised computer. In order to do this, Blaster incorporates its own TFTPE server.

    Blaster has the following effects:

  • Denial of service (DoS) attacks against the windowsupdate.com website whenever the system date is between August 16 and December 31, 2003. If this requirement is met, the worm sends a 40 byte packet every 20 milliseconds, using the TCP port 80.

  • It can block and restart the attacked computer.

  • It increases the network traffic on the TCP 135 and 444, and UDP 69 ports.

    • The Blaster B and C variants are very similar to the original worm (Blaster). Differences include the fact that they generate files called PENIS32.EXE (B) and TEEKIDS.EXE (C).

    Due to the number of incidents caused by these worms, Panda Software has released its PQREMOVE application designed to clean and repair computers affected by these viruses. This can be downloaded from: www.pandasoftware.com/downloads/utilities

    RPCSdbot and RPCSdbot.B also exploit the 'Buffer Overrun in RPC Interface' vulnerability in order to spread themselves. In order to do so, they follow the same routine as the virus Blaster, since RPCSdbot and RPCSdbot.B attacks IP addresses -generated at random-. By doing so, they download a copy of themselves in the infected computer, by means of their own TFTP server.

    RPCSdbot and RPCSdbot.B also drop a backdoor type Trojan, which allows a hacker to install programs, delete and download files, and carry out DoS attacks, among other things, in the infected computer.

    Since Blaster and RPCSdbot exploit the same vulnerability, which affects Windows 2003/XP/2000/NT computers, it is advisable that users of these platforms install the patches provided by Microsoft. These patches can be downloaded here

    Finally, HatFiend.10, a backdoor type Trojan, appeared this week. Hatfiend.10 allows hackers to gain remote access to other computers, in order to carry out actions that can compromise user confidentiality and impede the tasks performed on the computer. This malicious code goes memory resident, opens the port 1871 in the affected computer, and carries out several actions like logging keystrokes and controlling the hard drives.

    For more information about these and other viruses, visit Panda Software's Virus Encyclopedia here.

    --Compiled by Esther Shein