Symantec Thursday issued an alert for W32.Welchia.K a worm that spreads by exploiting Windows vulnerabilities. W32.Welchia.K uses the following vulnerabilities:

  • The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.
  • The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. The worm's use of this exploit will impact Windows 2000 systems and may impact Windows NT/XP systems.
  • The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445.
  • The Locator service vulnerability using TCP port 445 (described in Microsoft Security Bulletin MS03-001). The worm specifically targets Windows 2000 machines using this exploit.
  • The Mydoom backdoor (port 3127).

    • If the operating system of an infected computer is Chinese, Korean, or English, the worm will attempt to download and install security patches from the Microsoft Windows Update Web site to patch these vulnerabilities.

    The worm also attempts to remove the W32.Mydoom.A@mm, W32.Mydoom.B@mm, W32.HLLW.Doomjuice, and W32.HLLW.Doomjuice.B worms.

    The presence of the file %System%\drivers\svchost.exe is an indication of a possible infection.

    Technical details are at this Symantec page.

    Sasser Variant Continues to Wreak Havoc

    Trend Micro again issued an alert for Worm_Sasser.D, which exploits the Windows LSASS vulnerability--a buffer overrun vulnerability that allows remote code execution and enables an attacker to gain full control of the infected system. This vulnerability is discussed in detail in the following pages:

  • MS04-011_MICROSOFT_WINDOWS
  • Microsoft Security Bulletin MS04-011

    • Windows 2003 Server is also vulnerable to the LSASS exploit, as reported by Microsoft in the said Security Bulletin. Due to the method by which SASSER used the exploit, however, this worm is unable to infect Windows 2003 Server. It is possible that there exists a code error within the malware exploit packet. More often than not, remote exploit packets are required to be specially crafted for specific OS versions to function properly.

    To propagate, it scans for vulnerable systems at TCP port 445 and sends a specially-crafted packet to cause a buffer overflow on LSASS.EXE. The packet runs a remote shell that opens port 9995. This worm commands the remote shell to download its copy from the original infected source via port 5554 using FTP.

    This worm can cause LSASS to crash and force Windows to restart. In this case, certain message boxes may appear. View them and other information at this Trend Micro page.

    Lovgate Variant Has Several Characteristics

    W32/Lovgate.x@MM is a new variant of the Lovgate worm. It bears the following characteristics:

  • rops a backdoor component (detected by McAfee as BackDoor-AQJ with 4339 DATS and above)
  • Attempts to copy itself to poorly secured remote shares, scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares. Such copies of the worm may be enticingly named, or within ZIP or RAR archives. The worm carries a list of typical username/password combinations which it uses in attempting to get write access to remote shares
  • If it is able to access a remote share, it copies itself there as NETMANAGER.EXE, and remotely executes itself as a service on the remote machine.
  • Creates a share on the victim machine (share name "MEDIA").
  • Mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. Mails are sent in reply to email messages found on the victim machine.
  • Renames the extensions of EXE files to ZMX.
  • Terminates certain processes The backdoor component dropped by this worm is detected by McAfee as BackDoor-AQJ with the 4339 DATs or greater.

    More information is at this McAfee page.

    --Compiled by Esther Shein