Content

W32/Opanki.worm!MS06-040

Type
Virus
SubType
Internet Worm
Discovery Date
08/31/2006
Length
128,464 bytes
Minimum DAT
4843 (09/01/2006)
Updated DAT
4860 (09/26/2006)
Minimum Engine
5.1.00
Description Added
08/31/2006
Description Modified
08/31/2006 11:56 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Opanki.worm!MS06-040 is a worm that also drops a rootkit component to hide its files and processes. This rootkit component is detected as NTRootKit-J.

The worm can spread over AIM instant messenging, opens a backdoor at TCP port 443 and tries to connect to IRC server and waits for commands. One of the ways this worm can spread is by exploiting Server Service Vulnerability (MS06-040) and older vulnerabilities including a buffer overflow in the Workstation Service (MS03-049).

W32/Opanki.worm!MS06-040 connects to a IRC server and accepts commands as described below. Upon connection, the bot immediately executes a default action set by the IRC channel operator. At the time of writing, the default action was set to scan for vulnerable SMB hosts on TCP port 139. Windows users should ensure that they have installed the latest security patches from the vendor.

On execution the worm deletes itself from its current location and copies itself in %Windir% as lsass.exe. It then registers itself as a service by creating the following registry key(s):

  • hkey_local_machine\system\currentcontrolset\services\lsass

and has the following service characteristics:

  • Display name: "Local Security Authority Subsystem Service"
  • Description:"Microsoft Path Finder Service Displays Internet Routing Paths."
  • ImagePath: "%WINDIR%\lsass.exe"

It also drops a rdriv.sys file in %SystemDir% which is detected as NTRootKit-J. rdriv.sys is also registered as a service by creating the following registry entry:

  • hkey_local_machine\system\currentcontrolset\services\rdriv

Disables the following services:

  • Telnet
  • Security Center
  • Remote Registry
  • Messenger

This worm also lowers windows security settings by performing the following registry modifications:

  • hkey_local_machine\software\microsoft\security center
    • firewalldisablenotify = "1"
    • antivirusoverride = "1"
    • updatesdisablenotify = "1"
    • firewalloverride = "1"
    • antivirusdisablenotify = "1"
  • hkey_local_machine\software\policies\microsoft\windowsfirewall\standardprofile\ enablefirewall = "0"

Prevents updates from installing Windows XP Service Pack 2 by using:

  • hkey_local_machine\software\policies\microsoft\windows\ windowsupdate\donotallowxpsp2 = "1"

Disables automatic creation of hidden shares on reboot using the following registry entry:

  • hkey_local_machine\system\currentcontrolset\services\lanmanworkstation\ parameters\autosharewks = "0"

Disables automatic updates using the follownig registry entry:

  • hkey_local_machine\software\microsoft\windows\currentversion\windowsupdate\ autoupdate\auoptions = "1"

The worm opens a backdoor at TCP port 443 and tries to connect to IRC server at:

  • bla.girlsontheblock.com

TCP port 443 is normally used for https protocol but this worm uses it for IRC.

Actions that the worm may perform on receiving appropriate commands include:

Enumerate active process and threads on infected computer

  • Start, stop and hide processes and threads
  • Modify Microsoft Internet Explorer's start page
  • Open a local web server
  • Port scan IP addresses in a specified subnet to identify possible targets for infection
  • Open backdoor at a specified port
  • Transfer files
  • Spread via MIRC
  • Update itself
  • Restart infected machine
  • Flush ARP and DNS caches
  • Sniff network traffic
  • Create, delete and try to spread via network shares
  • Spread via AOL Instant Messenger
  • Download files from a specified URL

The commands that the worm can receive include

  • login
  • threads
  • logout
  • testdlls
  • version
  • secure
  • unsecure
  • unsec
  • process
  • create
  • nickupdate
  • randnick
  • exploitftpd
  • eftpd
  • sniffer
  • sniff
  • iestart
  • encrypt
  • prefix
  • resolve
  • aimspread
  • currentip
  • stats
  • banner
  • advscan
  • scanall
  • lsascan
  • ntscan
  • wksescan
  • wksoscan
  • flusharp
  • flushdns
  • system
  • r.down
  • r.wget
  • uptime
  • private
  • status


Other characteristics of the W32/Opanki.worm threat can be found at:

 

Symptoms

  • Existence of registry keys as described.
  • Existence of one or more of the following file(s):
    • %WinDir%\lsass.exe
    • %SystemDir%\rdriv.sys
  • Security Center and Messenger unexpectedly getting disabled.
  • TCP connection at port 443 to bla.girlsontheblock.com. IRC related data on this connection.
    •

     

    Method of Infection

    This worm can spread via AOL Instant Messenger, MIRC chat client, improperly configured/protected network shares and by exploiting buffer overflow vulnerabilities in the Windows operating system such as MS06-040.

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    This threat modifies a number of system files and configurations that can include disabling the default Windows Firewall on the infected machine. These changes should be manually configured to your preferred settings.

     

    Variants

    Variants

    • W32/Spybot.worm.gen.p
    • W32/Opanki.worm.gen

    All Information

    Overview -

    W32/Opanki.worm!MS06-040 is a worm that also drops a rootkit component to hide its files and processes. This rootkit component is detected as NTRootKit-J.

    The worm can spread over AIM instant messenging, opens a backdoor at TCP port 443 and tries to connect to IRC server and waits for commands. One of the ways this worm can spread is by exploiting Server Service Vulnerability (MS06-040) and older vulnerabilities including a buffer overflow in the Workstation Service (MS03-049).

    Aliases

    • Backdoor.Win32.Rbot.ayg (Kaspersky)
    • WORM_RBOT.AEY (TrendMicro)

    Characteristics

    Characteristics -

    W32/Opanki.worm!MS06-040 is a worm that also drops a rootkit component to hide its files and processes. This rootkit component is detected as NTRootKit-J.

    The worm can spread over AIM instant messenging, opens a backdoor at TCP port 443 and tries to connect to IRC server and waits for commands. One of the ways this worm can spread is by exploiting Server Service Vulnerability (MS06-040) and older vulnerabilities including a buffer overflow in the Workstation Service (MS03-049).

    W32/Opanki.worm!MS06-040 connects to a IRC server and accepts commands as described below. Upon connection, the bot immediately executes a default action set by the IRC channel operator. At the time of writing, the default action was set to scan for vulnerable SMB hosts on TCP port 139. Windows users should ensure that they have installed the latest security patches from the vendor.

    On execution the worm deletes itself from its current location and copies itself in %Windir% as lsass.exe. It then registers itself as a service by creating the following registry key(s):

    • hkey_local_machine\system\currentcontrolset\services\lsass

    and has the following service characteristics:

    • Display name: "Local Security Authority Subsystem Service"
    • Description:"Microsoft Path Finder Service Displays Internet Routing Paths."
    • ImagePath: "%WINDIR%\lsass.exe"

    It also drops a rdriv.sys file in %SystemDir% which is detected as NTRootKit-J. rdriv.sys is also registered as a service by creating the following registry entry:

    • hkey_local_machine\system\currentcontrolset\services\rdriv

    Disables the following services:

    • Telnet
    • Security Center
    • Remote Registry
    • Messenger

    This worm also lowers windows security settings by performing the following registry modifications:

    • hkey_local_machine\software\microsoft\security center
      • firewalldisablenotify = "1"
      • antivirusoverride = "1"
      • updatesdisablenotify = "1"
      • firewalloverride = "1"
      • antivirusdisablenotify = "1"
    • hkey_local_machine\software\policies\microsoft\windowsfirewall\standardprofile\ enablefirewall = "0"

    Prevents updates from installing Windows XP Service Pack 2 by using:

    • hkey_local_machine\software\policies\microsoft\windows\ windowsupdate\donotallowxpsp2 = "1"

    Disables automatic creation of hidden shares on reboot using the following registry entry:

    • hkey_local_machine\system\currentcontrolset\services\lanmanworkstation\ parameters\autosharewks = "0"

    Disables automatic updates using the follownig registry entry:

    • hkey_local_machine\software\microsoft\windows\currentversion\windowsupdate\ autoupdate\auoptions = "1"

    The worm opens a backdoor at TCP port 443 and tries to connect to IRC server at:

    • bla.girlsontheblock.com

    TCP port 443 is normally used for https protocol but this worm uses it for IRC.

    Actions that the worm may perform on receiving appropriate commands include:

    Enumerate active process and threads on infected computer

    • Start, stop and hide processes and threads
    • Modify Microsoft Internet Explorer's start page
    • Open a local web server
    • Port scan IP addresses in a specified subnet to identify possible targets for infection
    • Open backdoor at a specified port
    • Transfer files
    • Spread via MIRC
    • Update itself
    • Restart infected machine
    • Flush ARP and DNS caches
    • Sniff network traffic
    • Create, delete and try to spread via network shares
    • Spread via AOL Instant Messenger
    • Download files from a specified URL

    The commands that the worm can receive include

    • login
    • threads
    • logout
    • testdlls
    • version
    • secure
    • unsecure
    • unsec
    • process
    • create
    • nickupdate
    • randnick
    • exploitftpd
    • eftpd
    • sniffer
    • sniff
    • iestart
    • encrypt
    • prefix
    • resolve
    • aimspread
    • currentip
    • stats
    • banner
    • advscan
    • scanall
    • lsascan
    • ntscan
    • wksescan
    • wksoscan
    • flusharp
    • flushdns
    • system
    • r.down
    • r.wget
    • uptime
    • private
    • status


    Other characteristics of the W32/Opanki.worm threat can be found at:

     

    Symptoms

    Symptoms -

  • Existence of registry keys as described.
  • Existence of one or more of the following file(s):
    • %WinDir%\lsass.exe
    • %SystemDir%\rdriv.sys
  • Security Center and Messenger unexpectedly getting disabled.
  • TCP connection at port 443 to bla.girlsontheblock.com. IRC related data on this connection.
    •

     

    Method of Infection

    Method of Infection -

    This worm can spread via AOL Instant Messenger, MIRC chat client, improperly configured/protected network shares and by exploiting buffer overflow vulnerabilities in the Windows operating system such as MS06-040.

    Removal -

    Removal -

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    This threat modifies a number of system files and configurations that can include disabling the default Windows Firewall on the infected machine. These changes should be manually configured to your preferred settings.

     

    Variants

    Variants -

    • W32/Spybot.worm.gen.p
    • W32/Opanki.worm.gen