McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Graps.bat

Characteristics

This is a remote access trojan, and share jumping worm. It propagates via the default administrator share, admin$. When run, the worm creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Windows Management Instrumentation" = %worm path%\mwd.exe

Three batch files are created in the local directory:

• wds.bat
• wds2.bat
• wds3.bat

These batch files try to gain access to the ADMIN$ share on remote systems by trying weak username/password combinations. If this share is accessible, either because (1) the system allows for a weak user/pass or (2) the current credentials are sufficient for admin access, the worm attempts to copy 3 files to the remote system:

1. mwd.exe (a copy of the worm)
2. psexec.exe (RemoteProcessLaunch application)
3. mswinsk.ocx (innocent Microsoft Winsock Control DLL)

PSEXEC.EXE is used to execute the worm remotely and the ADMIN$ share is then deleted.

The worm scan scans the local class a subnet (#.*.*.*) for target systems. The worm creates a remote access server by listening on TCP port 45836. This server allows a remote attacker to perform the following tasks:

• Retrieve the following information
  • Uptime
  • Download speed
  • CPU information
  • RAM
  • Disk Usage
• Specify a target IP address to ICMP/HTTP flood
• Download/execute files
• Internet Relay Chat (IRC) functions
• IP Port Redirection (to create proxies)

Symptoms

Compromised system attempting to connect to the following addresses

• frozenhighlands.skiebus.com
• frozenhighlands.rock-slides.com
• jjljsmlmjo.no-ip.com
• llqrlmspmm.dyndns.org
• qplfdempqo.dyndns.org

Method of Infection

This worm spreads via the ADMIN$ share on Windows NT/2K/XP systems.

Removal

All Users:
Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.

Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.

• net share c$ /delete
• net share d$ /delete
• net share e$ /delete
• net share ipc$ /delete
• net share admin$ /delete

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Graps.bat

Characteristics

Characteristics -

This is a remote access trojan, and share jumping worm. It propagates via the default administrator share, admin$. When run, the worm creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Windows Management Instrumentation" = %worm path%\mwd.exe

Three batch files are created in the local directory:

• wds.bat
• wds2.bat
• wds3.bat

These batch files try to gain access to the ADMIN$ share on remote systems by trying weak username/password combinations. If this share is accessible, either because (1) the system allows for a weak user/pass or (2) the current credentials are sufficient for admin access, the worm attempts to copy 3 files to the remote system:

1. mwd.exe (a copy of the worm)
2. psexec.exe (RemoteProcessLaunch application)
3. mswinsk.ocx (innocent Microsoft Winsock Control DLL)

PSEXEC.EXE is used to execute the worm remotely and the ADMIN$ share is then deleted.

The worm scan scans the local class a subnet (#.*.*.*) for target systems. The worm creates a remote access server by listening on TCP port 45836. This server allows a remote attacker to perform the following tasks:

• Retrieve the following information
  • Uptime
  • Download speed
  • CPU information
  • RAM
  • Disk Usage
• Specify a target IP address to ICMP/HTTP flood
• Download/execute files
• Internet Relay Chat (IRC) functions
• IP Port Redirection (to create proxies)

Symptoms

Symptoms -

Compromised system attempting to connect to the following addresses

• frozenhighlands.skiebus.com
• frozenhighlands.rock-slides.com
• jjljsmlmjo.no-ip.com
• llqrlmspmm.dyndns.org
• qplfdempqo.dyndns.org

Method of Infection

Method of Infection -

This worm spreads via the ADMIN$ share on Windows NT/2K/XP systems.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.

Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.

• net share c$ /delete
• net share d$ /delete
• net share e$ /delete
• net share ipc$ /delete
• net share admin$ /delete

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A