Alias/es

Detection Availability

CVE

Visible Symptoms

• The file termsvrs.exe  exists in the Windows folder.
• The file rofl.sys  exists in the System folder.

Detailed Analysis

• Copies itself to the Windows folder as termsvrs.exe.
  
  
  Autostart Mechanism
  
  
• Registers itself as a service named P-SYS  to ensure loading during the Windows start up process.
  
  
  Network Propagation
  
  
• The virus enumerates network shares, and copies itself to the following folders:
  
  
  • d$\windows\system32
  • d$\winnt\system32
  • c$\windows\system32
  • c$\winnt\system32
  • Admin$\system32
  • Admin$
  
  If the shares are password-protected, it attempts to gain access by using the following user names and passwords:
  
  
  • admin
  • server
  • asdfgh
  • !@#$%
  • !@#$%
  • !@#$%
  • 654321
  • 123456
  • 12345
  • administrator
  
  
• This worm also takes advantage of the following Windows vulnerabilities to propagate across networks:
  
  
  • Microsoft ASN.1 Library Vulnerability
  • Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability
  
  
  Backdoor and/or Trojan Behavior
  
  
• Connects to the Internet Relay Chat (IRC) server 70.84.27.34  on TCP port 6522 to await instructions and commands from a remote user.
  
  
• Modifies the following registry entries:

  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    DoNotAllowXPSP2 = dword:00000001
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
    Start = dword:00000004
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
    Start = dword:00000004
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
    Start = dword:00000004
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    UpdatesDisableNotify = dword:00000001
    AntiVirusDisableNotify = dword:00000001
    FirewallDisableNotify = dword:00000001
    AntiVirusOverride = dword:00000001
    FirewallOverride = dword:00000001

• Drops the file rofl.sys to the System folder. This worm component is used in hiding the worm process. It is detected as W32/Aimbot.AF!tr.bdr.
  
  
• Attempts to contact scripts at the following addresses:
  
  
  • http://hpc{REMOVED}y.com/mute/c/prxjdg.cgi
  • http://www.a{REMOVED}e.jp/x/maxwell/cgi-bin/prxjdg.cgi
  • http://www2.do{REMOVED}e.jp/tomocrus/cgi-bin/check/prxjdg.cgi
  • http://cgi1{REMOVED}r.jp/little_w/prxjdg.cgi
  • http://yi{REMOVED}a.com/prxjdg.cgi

Recommended Action

FortiGate systems:


• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  
  
  Patch
  
  
• Download and install the following patches:
  
  
  • Microsoft ASN.1 Library Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
  • Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx