Content
W32/Anig.worm
- Type
- Virus
- SubType
- Open Share Worm
- Discovery Date
- 01/28/2004
- Length
- 52,224 (EXE)
26,624 (DLL) - Minimum DAT
- 4321 (01/29/2004)
- Updated DAT
- 4321 (01/29/2004)
- Minimum Engine
- 5.1.00
- Description Added
- 01/29/2004
- Description Modified
- 02/02/2004 6:33 AM (PT)
Tab Navigation
Characteristics
-- Update 02/02/2004 --
Two additional variants were discovered. They are functionally identical to the original variant and were probably modified to avoid detection. They require 4322 DATs.
--
This threat is a share-hopping worm that uses ADMIN$ and IPC$ shares to propagate.
It consists of two components:
- NTOSA32.EXE
- NTGINA.DLL
The EXE component is written in Delphi and is the share-hopping worm. The DLL is a keylogging component injected into WINLOGON.EXE and other running processes. This keylog is created in the System folder as NTKBH32.DLL, for example:
- C:\WINNT\SYSTEM32\NTKBH32.DLL
Note: this logfile will most likely contain the password (and perhaps username) used to login to the machine.
When the worm tries to copy itself to shared systems, first it checks for the existence of NTOSA32.EXE, then sends this file via NetBIOS to the remote system if it's not found. It then checks for the presence of NTGINA.DLL, and then sends this file if it does not exist. Lastly, it checks for (and then creates) the following registry entries so that the worm will be started when the system is restarted:
CurrentVersion\Run "Osa32" = NTOSA32.EXE
This checking and creation will be done repeatedly as long as the original system is infected.
The EXE component also watches for these registry modifications on the local machine, and will restore the hook into WINLOGON.EXE if it is manually removed. This is done approximately every 10 seconds.
The worm may attempt to send the information in the keylog back to its author. Outgoing TCP traffic to a remote server, destination port TCP 5190 (commonly used by AOL Instant Messenger), will be observed.
Symptoms
Presence of NTOSA32.EXE and NTGINA.DLL in the Windows System folder (note - there is a standard OS DLL called MSGINA.DLL):
- XP - WINDOWS\SYSTEM32\NTGINA.DLL
- NT - WINNT\SYSTEM32\NTGINA.DLL
- 9X - WINDOWS\SYSTEM\NTGINA.DLL
Presence of the following Registry keys:
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dfcsvc
- HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dfcsvc
- HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dfcsvc
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "GinaDll"="ntgina.dll"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Osa32" = NTOSA32.EXE
The service that the worm installs as bears the following characteristics:
- Display name = "Distributed File Controller"
- Startup type = "Automatic"
Presence of %SysDir%\NTKBH32.DLL which is the log of recorded keystrokes.
Method of Infection
The worm copies itself through ADMIN$ & IPC$ shares and installs on a remote machine.
Note: When successfully copied onto a remote machine, the worm is executed remotely as a service - the infected machine does not require reboot for the worm to be running.
After the first restart NTGINA.DLL recieves control as part of the WINLOGON.EXE process, and keylogging commences.
Removal
All Users:
Use specified engine and DAT files for detection.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- W32/Dfcsvc.worm
- W32/Dfcsvc.worm.dll
Characteristics
Characteristics -
-- Update 02/02/2004 --
Two additional variants were discovered. They are functionally identical to the original variant and were probably modified to avoid detection. They require 4322 DATs.
--
This threat is a share-hopping worm that uses ADMIN$ and IPC$ shares to propagate.
It consists of two components:
- NTOSA32.EXE
- NTGINA.DLL
The EXE component is written in Delphi and is the share-hopping worm. The DLL is a keylogging component injected into WINLOGON.EXE and other running processes. This keylog is created in the System folder as NTKBH32.DLL, for example:
- C:\WINNT\SYSTEM32\NTKBH32.DLL
Note: this logfile will most likely contain the password (and perhaps username) used to login to the machine.
When the worm tries to copy itself to shared systems, first it checks for the existence of NTOSA32.EXE, then sends this file via NetBIOS to the remote system if it's not found. It then checks for the presence of NTGINA.DLL, and then sends this file if it does not exist. Lastly, it checks for (and then creates) the following registry entries so that the worm will be started when the system is restarted:
CurrentVersion\Run "Osa32" = NTOSA32.EXE
This checking and creation will be done repeatedly as long as the original system is infected.
The EXE component also watches for these registry modifications on the local machine, and will restore the hook into WINLOGON.EXE if it is manually removed. This is done approximately every 10 seconds.
The worm may attempt to send the information in the keylog back to its author. Outgoing TCP traffic to a remote server, destination port TCP 5190 (commonly used by AOL Instant Messenger), will be observed.
Symptoms
Symptoms -
Presence of NTOSA32.EXE and NTGINA.DLL in the Windows System folder (note - there is a standard OS DLL called MSGINA.DLL):
- XP - WINDOWS\SYSTEM32\NTGINA.DLL
- NT - WINNT\SYSTEM32\NTGINA.DLL
- 9X - WINDOWS\SYSTEM\NTGINA.DLL
Presence of the following Registry keys:
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dfcsvc
- HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dfcsvc
- HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dfcsvc
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "GinaDll"="ntgina.dll"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "Osa32" = NTOSA32.EXE
The service that the worm installs as bears the following characteristics:
- Display name = "Distributed File Controller"
- Startup type = "Automatic"
Presence of %SysDir%\NTKBH32.DLL which is the log of recorded keystrokes.
Method of Infection
Method of Infection -
The worm copies itself through ADMIN$ & IPC$ shares and installs on a remote machine.
Note: When successfully copied onto a remote machine, the worm is executed remotely as a service - the infected machine does not require reboot for the worm to be running.
After the first restart NTGINA.DLL recieves control as part of the WINLOGON.EXE process, and keylogging commences.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
