Alias/es

Detection Availability

CVE

Visible Symptoms

• The file runs.pif  exists in the System folder.

Detailed Analysis

• Copies itself to the System folder as runs.pif.
  
  
  Autostart Mechanism
  
  
• Adds the following value:

  Microsoft Service TOols = "runs.pif"

  to the following registry subkeys:
  

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  
  Network Propagation
  
  
• May spread by exploiting the following vulnerabilities:
  
  
  • Microsoft Remote Procedure Call (RPC) Distrubuted Component Object Model (DCOM) Vulnerability using TCP port 135
  • Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability using TCP ports 135, 139 or 445
  • Vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit using UDP port 1434
  • Microsoft IIS WebDAV Remote Compromise Vulnerability using TCP port 80
  • Microsoft UPnP (Universal Plug and Play) Vulnerability
  • Microsoft Windows Workstation Service Remote Buffer Overflow using TCP port 445
  • Microsoft Windows SSL Library Denial of Service Vulnerability
  • VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability
  • Microsoft Windows Plug and Play Buffer Overflow Vulnerability
  
  
  Backdoor and/or Trojan Behavior
  
  
• Modifies the following registry entries:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    EnableDCOM = "N"
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl\Set\Control\Lsa
    restrictanonymous = 1
  
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
    restrictanonymous = 1

• Connects to an IRC server on port 6667 and joins a channel to receive commands. The commands may include the following:
  
  
  • Scan for vulnerable computers
  • Download or upload files
  • List or end running processes
  • Steal cached passwords
  • Start a local HTTP, FTP, or TFTP server
  • Search for files on the compromised computer
  • Capture screenshots, data from the clipboard, and footage from webcams
  • Visit URLs
  • Flush the DNS and ARP caches
  • Open a command shell on the compromised computer
  • Intercept packets on the local area network
  • Send net send messages

Recommended Action

FortiGate systems:


• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  
  
  Patch
  
  
• Download and install the following patches:
  
  
  • Microsoft Remote Procedure Call (RPC) Distrubuted Component Object Model (DCOM) Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
  • Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
  • Vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit: http://www.microsoft.com/technet/security/bulletin/MS02-061.mspx
  • Microsoft IIS WebDAV Remote Compromise Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx
  • Microsoft UPnP (Universal Plug and Play) Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx
  • Microsoft Windows Workstation Service Remote Buffer Overflow: http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
  • Microsoft Windows SSL Library Denial of Service Vulnerability: http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx
  • VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability: http://seer.support.veritas.com/docs/273419.htm
  • Microsoft Windows Plug and Play Buffer Overflow Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx