W32/Kelvir!worm
Analysis
- Copies itself to the Windows folder as termsvrs.exe.
Autostart Mechanism
- Registers itself as a service named P-SYS to ensure loading during the Windows start up process.
Network Propagation
- The virus enumerates network shares, and copies itself to the following folders:
- d$\windows\system32
- d$\winnt\system32
- c$\windows\system32
- c$\winnt\system32
- Admin$\system32
- Admin$
If the shares are password-protected, it attempts to gain access by using the following user names and passwords:
- admin
- server
- asdfgh
- !@#$undefined
- !@#$undefined
- !@#$undefined
- 654321
- 123456
- 12345
- administrator
- This worm also takes advantage of the following Windows vulnerabilities to propagate across networks:
- Microsoft ASN.1 Library Vulnerability
- Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability
Backdoor and/or Trojan Behavior
- Connects to the Internet Relay Chat (IRC) server 70.84.27.34 on TCP port 6522 to await instructions and commands from a remote user.
- Modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2 = dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
Start = dword:00000004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start = dword:00000004
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
Start = dword:00000004
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify = dword:00000001
AntiVirusDisableNotify = dword:00000001
FirewallDisableNotify = dword:00000001
AntiVirusOverride = dword:00000001
FirewallOverride = dword:00000001 - Drops the file rofl.sys to the System folder. This worm component is used in hiding the worm process. It is detected as W32/Aimbot.AF!tr.bdr.
- Attempts to contact scripts at the following addresses:
- http://hpc{REMOVED}y.com/mute/c/prxjdg.cgi
- http://www.a{REMOVED}e.jp/x/maxwell/cgi-bin/prxjdg.cgi
- http://www2.do{REMOVED}e.jp/tomocrus/cgi-bin/check/prxjdg.cgi
- http://cgi1{REMOVED}r.jp/little_w/prxjdg.cgi
- http://yi{REMOVED}a.com/prxjdg.cgi
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Patch
- Download and install the following patches:
- Microsoft ASN.1 Library Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
- Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |