Home / malwarePDF  

Worm:W32/Downadup.AL


First posted on 05 January 2009.
Source: SecurityHome

Aliases :

There are no other names known for Worm:W32/Downadup.AL.

Explanation :

A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.

right]Creates the following mutex:

  • Global\%Random-Random%

Upon Execution, it may create one or more of the following as a copy of itself:

  • %System%[...].dll
  • %Program Files%Internet Explorer[...].dll
  • %Program Files%Movie Maker[...].dll
  • %All Users Application Data%[...].dll
  • %Temp%[...].dll

Changes the file timestamp to match the timestamp of %System%kernel32.dll.

Creates the following registry entries:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    DisplayName = %ServiceName%
    Type = dword:00000020
    Start = dword:00000002
    ErrorControl = dword:00000000
    ImagePath = "%SystemRoot%system32svchost.exe -k netsvcs"
    ObjectName = "LocalSystem"
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices\Parameters
    ServiceDll = %MalwarePath%

Note: %ServiceName% represents a two word combination taken from the following list:

  • Boot
  • Center
  • Config
  • Driver
  • Helper
  • Image
  • Installer
  • Manager
  • Microsoft
  • Monitor
  • Network
  • Security
  • Server
  • Shell
  • Support
  • System
  • Task
  • Time
  • Universal
  • Update
  • Windows

It then modifies the following registry keys:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost, netsvcs = %Previous ata% and %Random%

It also creates the following autorun registry entry:

  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
    = rundll32.exe "%MalwarePath%",
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    = rundll32.exe "%MalwarePath%",

It also deletes any System Restore points created by the user.

It first checks if it is running on Windows Vista, then runs the following command to disable Windows Vista TCP/IP auto-tuning:

  • netsh interface tcp set global autotuning=disabled

The worm also modifies the following registry entry so that the worm spreads more rapidly across a network:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
    "TcpNumConnections" = dword:0x00FFFFFE

It may also creates one of the following files:

  • %System%[...].tmp
  • %Temp%[...].tmp

It then registers the [...].tmp file as service kernel driver, thus creating the following registry entries:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    Type = dword:00000001
    Start = dword:00000003
    ErrorControl = dword:00000000
    ImagePath = "...\%MalwarePath%[...].tmp"
    DisplayName =

It deletes the file %MalwarePath%[...].tmp afterwards.

It disables the following Windows services:

  • wuauserv
  • BITS

The wuauserv service is Windows Automatic Update Service and BITS is the Background Intelligent Transfer Service.

Modifies the following registry entries in order to hide itself on the system:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHO WALL
    CheckedValue = dword:00000000

Checks for suitable network shares, then it tries to connect to one using one of the following usernames and passwords:

  • 00000
  • 0000000
  • 00000000
  • 0987654321
  • 11111
  • 111111
  • 1111111
  • 11111111
  • 123123
  • 12321
  • 123321
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 1234abcd
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 1q2w3e
  • 22222
  • 222222
  • 2222222
  • 22222222
  • 33333
  • 333333
  • 3333333
  • 33333333
  • 44444
  • 444444
  • 4444444
  • 44444444
  • 54321
  • 55555
  • 555555
  • 5555555
  • 55555555
  • 654321
  • 66666
  • 666666
  • 6666666
  • 66666666
  • 7654321
  • 77777
  • 777777
  • 7777777
  • 77777777
  • 87654321
  • 88888
  • 888888
  • 8888888
  • 88888888
  • 987654321
  • 99999
  • 999999
  • 9999999
  • 99999999
  • a1b2c3
  • aaaaa
  • abc123
  • academia
  • access
  • account
  • Admin
  • admin
  • admin1
  • admin12
  • admin123
  • adminadmin
  • administrator
  • anything
  • asddsa
  • asdfgh
  • asdsa
  • asdzxc
  • backup
  • boss123
  • business
  • campus
  • changeme
  • cluster
  • codename
  • codeword
  • coffee
  • computer
  • controller
  • cookie
  • customer
  • database
  • default
  • desktop
  • domain
  • example
  • exchange
  • explorer
  • files
  • foobar
  • foofoo
  • forever
  • freedom
  • games
  • home123
  • ihavenopass
  • Internet
  • internet
  • intranet
  • killer
  • letitbe
  • letmein
  • Login
  • login
  • lotus
  • love123
  • manager
  • market
  • money
  • monitor
  • mypass
  • mypassword
  • mypc123
  • nimda
  • nobody
  • nopass
  • nopassword
  • nothing
  • office
  • oracle
  • owner
  • pass1
  • pass12
  • pass123
  • passwd
  • Password
  • password
  • password1
  • password12
  • password123
  • private
  • public
  • pw123
  • q1w2e3
  • qazwsx
  • qazwsxedc
  • qqqqq
  • qwe123
  • qweasd
  • qweasdzxc
  • qweewq
  • qwerty
  • qwewq
  • root123
  • rootroot
  • sample
  • secret
  • secure
  • security
  • server
  • shadow
  • share
  • student
  • super
  • superuser
  • supervisor
  • system
  • temp123
  • temporary
  • temptemp
  • test123
  • testtest
  • unknown
  • windows
  • work123
  • xxxxx
  • zxccxz
  • zxcvb
  • zxcvbn
  • zxcxz
  • zzzzz

If successful, the worm copies itself to that share.

It connects to the following sites to get the %ExternalIPAddress% of the infected system:

  • http://checkip.dyndns.org
  • http://getmyip.co.uk
  • http://www.getmyip.org
  • http://www.whatsmyipaddress.com

It then creates a HTTP server on the infected system on a random port:

  • http://%ExternalIPAddress%:%RandomPort%

Creating the HTTP server allows the malware to exploit the critical MS08-067 vulnerability to force the infected machine to download another copy of the malware. The downloaded malware has one of the following extensions:

  • bmp
  • gif
  • jpeg
  • png

It may create the following files on removable and mapped drives as the following:

  • %DriveLetter%RECYCLERS-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d[...].dll
  • %DriveLetter%autorun.inf

Connects to one of the following domains to obtain current system date:

  • ask.com
  • baidu.com
  • google.com
  • w3.org
  • yahoo.com

Checks if the system date is at least 1 January 2009 and if so, downloads and execute files from:

  • http://%PredictableDomainsIPAddress%/search?q=%d

It also creates the following registry entries:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionApplets
    (default) = dword:%Number%
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApplets
    (default) = dword:%Number%

Last update 05 January 2009

 

TOP

Malware :

Family: