Content
W32/Milam.worm
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 03/27/2008
- Length
- 44,374 bytes
- Minimum DAT
- 5262 (03/28/2008)
- Updated DAT
- 5263 (03/31/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 03/27/2008
- Description Modified
- 03/27/2008 7:38 AM (PT)
Tab Navigation
Characteristics
This worm spreads via network shares and could allow an attacker with unauthorized remote access to the compromised machine and the attacker can perform the following actions on this infected machine:
- Retrieve system information
- Upload/Download files via HTTP/FTP
- Execute programs remotely
- Start and stop services
- Perform DDOS
Symptoms
When the W32/Milam.worm is executed, it installs itself as $sys$explorer.exe into the following folder:
- C:\Program Files\Common Files\System\
The following registry keys are added to run itself on reboot.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Explorer
"Description" = "Microsoft Explorer"
"DisplayName" = "Explorer"
"ImagePath" = "C:\Program Files\Common Files\System\$sys$explorer.exe "
Additional regsitry keys that are modified :
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Program Files\Common Files\System\$sys$explorer.exe"= C:\Programfiles\CommonFiles\System\$sys$explorer.exe:*:Enabled:Explorer
The worm attempts to the following remote server:
- admin.mila[removed].com
The following TCP ports are opened on the compromised machine which can allow a remote attacker to take control of the affected system:
- 5900
- 2967
In addition to this the worm contains FTP code to upload/download files to/from a remote location.
Method of Infection
This worm scans random ip addresses at and tries to gain access to the share by trying weak administrator passwords as listed below:
- asdf
- asdfgh
- love
- boobs
- porn
- pass
- high
- server
- ftp
- dell
- duck
- master
- owner
- register
- paper
- money
- cool
- kool
- kkk
- bass
- $%^&*
- ~!@#$%^&
- helpme
- tom
- bobnob
- bob
- ryan
- pimpin
- jesus
- god
- coke
- weed
- cracker
- crack
- whore
- shit
- fuck
- bitch
- 1337
- leet
- password
- admin
- root
- vnc
- cam
- comp
- computer
- change
- changeme
- test
- testing
- sex
- sexy
- pimp
- help
- monkey
- qwerty
- abcdefgh
- abcdef
- abcde
- abcd
- abc
- 321
- 4321
- 654321
- 7654321
- 87654321
- 12345678
- 1234567
- 123456
- 12345
- 1234
- 123
Removal
Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
Variants
Variants
N/A
All Information
Overview -
The W32/Milam.worm has a number of threat vectors such as spreading via network shares, downloading more malware from a remote site and it creates an open backdoor on the local computer.
Characteristics
Characteristics -
This worm spreads via network shares and could allow an attacker with unauthorized remote access to the compromised machine and the attacker can perform the following actions on this infected machine:
- Retrieve system information
- Upload/Download files via HTTP/FTP
- Execute programs remotely
- Start and stop services
- Perform DDOS
Symptoms
Symptoms -
When the W32/Milam.worm is executed, it installs itself as $sys$explorer.exe into the following folder:
- C:\Program Files\Common Files\System\
The following registry keys are added to run itself on reboot.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Explorer
"Description" = "Microsoft Explorer"
"DisplayName" = "Explorer"
"ImagePath" = "C:\Program Files\Common Files\System\$sys$explorer.exe "
Additional regsitry keys that are modified :
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Program Files\Common Files\System\$sys$explorer.exe"= C:\Programfiles\CommonFiles\System\$sys$explorer.exe:*:Enabled:Explorer
The worm attempts to the following remote server:
- admin.mila[removed].com
The following TCP ports are opened on the compromised machine which can allow a remote attacker to take control of the affected system:
- 5900
- 2967
In addition to this the worm contains FTP code to upload/download files to/from a remote location.
Method of Infection
Method of Infection -
This worm scans random ip addresses at and tries to gain access to the share by trying weak administrator passwords as listed below:
- asdf
- asdfgh
- love
- boobs
- porn
- pass
- high
- server
- ftp
- dell
- duck
- master
- owner
- register
- paper
- money
- cool
- kool
- kkk
- bass
- $%^&*
- ~!@#$%^&
- helpme
- tom
- bobnob
- bob
- ryan
- pimpin
- jesus
- god
- coke
- weed
- cracker
- crack
- whore
- shit
- fuck
- bitch
- 1337
- leet
- password
- admin
- root
- vnc
- cam
- comp
- computer
- change
- changeme
- test
- testing
- sex
- sexy
- pimp
- help
- monkey
- qwerty
- abcdefgh
- abcdef
- abcde
- abcd
- abc
- 321
- 4321
- 654321
- 7654321
- 87654321
- 12345678
- 1234567
- 123456
- 12345
- 1234
- 123
Removal -
Removal -
Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
