McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• TrojanDropper.Win32.Small.bd (AVP)

• W32.Randex.E (Symantec)

• WORM_RPCSDBOT.A (Trend)

Characteristics

-- Update 13th August 2003 --

An additional variant of this threat has been received by AVERT, which is detected as W32/Spybot.worm.md with the specified engine/DATs. The filenames for the executable and the DLL it drops are as follows:

• NSTASK32.EXE (24,064 bytes)
• WINSOCK32DRV.DLL (43,520 bytes)

--

This threat was proactively detected as New Malware.b when scanning compressed files with the 4.2.40+ scan engine, 4283 DAT files, and program heuristics enabled.

This is another worm that exploits the MS03-026 vulnerability. It works in a similar fashion to W32/Lovsan.worm in that it creates a remote shell on TCP Port 4444 and tells the compromised target system to download (TFTP) and execute the worm from the host system.

This threat differs in that it is also an IRC bot (the source code for IRC-Sdbot was used).

When run, the worm creates two files in the %WinDir%\System32 directory:

• c:\WINNT\system32\winlogin.exe (24,064 bytes)
• c:\WINNT\system32\yuetyutr.dll (43,520 bytes)

Several registry run keys are created to load the worm at system startup (note regedit will simply display the value as winlogin.exe):

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Runonce "winlogon" = winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "NDplDeamon" = winlogin.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "winlogon" = winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
  Winlogon "Shell" = explorer.exe winlogin.exe

The worm connects to an IRC server le.x.lu.tc, joins a channel and awaits further instructions from a remote attacker.

The worm injects the dropped yuetyutr.dll file into the explorer.exe process

Symptoms

- TCP traffic on port 6667
- Presence of the files winlogin.exe (24,064 bytes) [note: winlogon.exe is a valid Windows file] and yuetyutr.dll (43,520 bytes) in the WINDOWS SYSTEM32 directory

The worm also deletes the TFTP.EXE program, which it uses to get on to a system in the first place. This will prevent future infections via the same method. Users may see a file protection warning:

Method of Infection

This worm spreads through a Windows exploit; by instructing a remote system to download and execute itself from the infected system. Once infected, the worm contacts an IRC server, which allows a remote attacker to initiate a denial of service attack, download files, retrieve system information (RAM, CPU, Uptime, Disk Space, etc).

Removal

All Users:
Use specified engine and DAT files for detection. The 4.2.40 engine can complete repair without reboot, but older engines require a reboot for repair to complete.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and DAT combination (or higher), older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• TrojanDropper.Win32.Small.bd (AVP)

• W32.Randex.E (Symantec)

• WORM_RPCSDBOT.A (Trend)

Characteristics

Characteristics -

-- Update 13th August 2003 --

An additional variant of this threat has been received by AVERT, which is detected as W32/Spybot.worm.md with the specified engine/DATs. The filenames for the executable and the DLL it drops are as follows:

• NSTASK32.EXE (24,064 bytes)
• WINSOCK32DRV.DLL (43,520 bytes)

--

This threat was proactively detected as New Malware.b when scanning compressed files with the 4.2.40+ scan engine, 4283 DAT files, and program heuristics enabled.

This is another worm that exploits the MS03-026 vulnerability. It works in a similar fashion to W32/Lovsan.worm in that it creates a remote shell on TCP Port 4444 and tells the compromised target system to download (TFTP) and execute the worm from the host system.

This threat differs in that it is also an IRC bot (the source code for IRC-Sdbot was used).

When run, the worm creates two files in the %WinDir%\System32 directory:

• c:\WINNT\system32\winlogin.exe (24,064 bytes)
• c:\WINNT\system32\yuetyutr.dll (43,520 bytes)

Several registry run keys are created to load the worm at system startup (note regedit will simply display the value as winlogin.exe):

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Runonce "winlogon" = winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "NDplDeamon" = winlogin.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "winlogon" = winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
  Winlogon "Shell" = explorer.exe winlogin.exe

The worm connects to an IRC server le.x.lu.tc, joins a channel and awaits further instructions from a remote attacker.

The worm injects the dropped yuetyutr.dll file into the explorer.exe process

Symptoms

Symptoms -

- TCP traffic on port 6667
- Presence of the files winlogin.exe (24,064 bytes) [note: winlogon.exe is a valid Windows file] and yuetyutr.dll (43,520 bytes) in the WINDOWS SYSTEM32 directory

The worm also deletes the TFTP.EXE program, which it uses to get on to a system in the first place. This will prevent future infections via the same method. Users may see a file protection warning:

Method of Infection

Method of Infection -

This worm spreads through a Windows exploit; by instructing a remote system to download and execute itself from the infected system. Once infected, the worm contacts an IRC server, which allows a remote attacker to initiate a denial of service attack, download files, retrieve system information (RAM, CPU, Uptime, Disk Space, etc).

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection. The 4.2.40 engine can complete repair without reboot, but older engines require a reboot for repair to complete.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and DAT combination (or higher), older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A