McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Proxy-Slanper

• W32/Slanper-A (Sophos)

• W32/Slanper.worm.gen

• W32/Sluter (Panda)

• Win32.Slanper (CA)

Characteristics

This is network share propagation worm. Mcafee products using the 4272 DATs detect the worm as W32/Sluter.worm variant. The worm attempts to spread by copying itself to the ADMIN$, c$ of remote machines. The worm scans random ip addresses at port 445, and tries to gain access to the share by trying weak administrator passwords.

When run, the worm creates the following registry key to load itself at Windows startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "mssyslanhelper" = %SysDir%\msmsgri32.exe

Where %SysDir% is Windows system32 directory.

The worm also creates the following file:

• %SysDir%\payload.dat

This file is an HTTP proxy which is detected as Proxy-Slanper.

There are variants of the worm that differ in what IP address they contact by sending a short UDP packet:

• 217.21.117.104 port 54545
• 68.192.170.235 port 54545

Possibly this is used by the worm author to track the progress of the worm.

It generates random IP addresses, certain ip range is excluded, such as 192.168.0.0 - 192.168.255.255. It scans port 445, tries the following list of administrator passwords to gain access:

• server
• !@#$%^&*
• !@#$%^&
• !@#$%^
• !@#$%
• asdfgh
• asdf
• !@#$
• 654321
• 123456
• 1234
• 123
• 111
• 1
• root
• admin
• (blank)

Note: If current credentials are sufficient a weak password is not required for the worm to spread.

Once connected, it copies itself to the machine as the following:

• \\(machine ip)\Admin$\system32\msmsgri32.exe
• \\(machine ip)\c$\winnt\system32\msmsgri32.exe

It schedules a nework job to run itself.

Symptoms

Existence of registry and file mentioned above.
Increased network traffic on port 445.

Method of Infection

This worm spreads via default administrative shared folders.

Removal

All Users:
Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.

Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.

• net share c$ /delete
• net share d$ /delete
• net share e$ /delete
• net share ipc$ /delete
• net share admin$ /delete

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Proxy-Slanper

• W32/Slanper-A (Sophos)

• W32/Slanper.worm.gen

• W32/Sluter (Panda)

• Win32.Slanper (CA)

Characteristics

Characteristics -

This is network share propagation worm. Mcafee products using the 4272 DATs detect the worm as W32/Sluter.worm variant. The worm attempts to spread by copying itself to the ADMIN$, c$ of remote machines. The worm scans random ip addresses at port 445, and tries to gain access to the share by trying weak administrator passwords.

When run, the worm creates the following registry key to load itself at Windows startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "mssyslanhelper" = %SysDir%\msmsgri32.exe

Where %SysDir% is Windows system32 directory.

The worm also creates the following file:

• %SysDir%\payload.dat

This file is an HTTP proxy which is detected as Proxy-Slanper.

There are variants of the worm that differ in what IP address they contact by sending a short UDP packet:

• 217.21.117.104 port 54545
• 68.192.170.235 port 54545

Possibly this is used by the worm author to track the progress of the worm.

It generates random IP addresses, certain ip range is excluded, such as 192.168.0.0 - 192.168.255.255. It scans port 445, tries the following list of administrator passwords to gain access:

• server
• !@#$%^&*
• !@#$%^&
• !@#$%^
• !@#$%
• asdfgh
• asdf
• !@#$
• 654321
• 123456
• 1234
• 123
• 111
• 1
• root
• admin
• (blank)

Note: If current credentials are sufficient a weak password is not required for the worm to spread.

Once connected, it copies itself to the machine as the following:

• \\(machine ip)\Admin$\system32\msmsgri32.exe
• \\(machine ip)\c$\winnt\system32\msmsgri32.exe

It schedules a nework job to run itself.

Symptoms

Symptoms -

Existence of registry and file mentioned above.
Increased network traffic on port 445.

Method of Infection

Method of Infection -

This worm spreads via default administrative shared folders.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.

Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.

• net share c$ /delete
• net share d$ /delete
• net share e$ /delete
• net share ipc$ /delete
• net share admin$ /delete

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A