[windows2000] Virus Alert: Worm Netspree
- From: Jim Kenzig <jimkenz@xxxxxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx, Windows2000@xxxxxxxxxxxxx,ossecurityalert@xxxxxxxxxxxxx
- Date: Mon, 27 Jan 2003 12:23:56 -0500
Watch out for a process called Win32load.exe on your machines!
JK
http://thethin.net
http://www.osmess.com
Trend has just released the below Worm advisory.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSPRE
E.A
Description:
This worm spreads via network shares. It also gives remote control access to
infected systems. It allows remote users to connect to the infected machine
and then download and execute files on the compromised system.
This worm runs on Windows 95, 98, ME, NT, XP, and 2000 but will not be able
to spread and drop copies of itself to Windows 9x/ME systems.
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use the Trend
Micro System Cleaner.
MANUAL REMOVAL INSTRUCTIONS
Terminating the Malware Program
This procedure terminates the running malware process from memory.
Open Windows Task Manager.
On Windows 9x/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs, locate the process:
Win32load
Select the malware process, then press either the End Task or the End
Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and
then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from
executing during startup.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press
Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
Windows Subsys
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry or entries:
Windows Subsys
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory, as
described in the previous procedure, restart your system.
Restoring other Registry Keys
Open Registry Editor
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>System>Current Control Set>
Control>Lsa
In the right panel, locate and the entry:
restrictanonymous
Right-click the entry and click Modify.
Type in the default value of 0 and click OK.
Close Registry Editor.
Related to <: BAT_NETSPREE.A
In the wild Yes
Payload 1 Compromises network security
Language English
Platform Windows 95/98/ME/NT/2000/XP
Encrypted No
Size of
Details:
Installation
Upon execution, this worm drops a copy of itself in the System directory as
. It also adds the following registry entries so that the dropped copy is
executed every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
Windows Subsys =
"%System%\win32load.exe" rundll32.dll,loadsubsys,loadsys,win32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
Windows Subsys =
"%System%\win32load.exe" rundll32.dll,loadsubsys,loadsys,win32
*Where %System% is the Windows system folder, which is usually
C:\Windows\System on Windows 9x and ME, C:\WINNT\System32 on Windows NT and
2000, or C:\Windows\System32 on Windows XP.
It also modifies the data value of the following registry entry to
"DWORD:0":
HKEY_LOCAL_MACHINE\System\Current Control Set\
Control\Lsa
restrictanonymous
The worm then stays resident in memory. At least one of the executing copy
is always a dropped copy in the System folder.
Network propagation
To propagate through network, it executes its batch file component
PSEXEC.BAT, which Trend Micro detects as BAT_NETSPREE.A. It also uses the
tool PSEXEC.EXE to drop a copy of itself to other computers.
This worm tries to spread to network through the interprocess communication
share, or the IPC$. The worm tries to authenticate itself to other computers
in the network by first trying to establish a null session connection, which
is just connecting without a user name and password. However, if it is
password-protected, the worm also tries other hardcoded user names and
passwords to get in.
Once the worm has authenticated itself, it uses the file PSEXEC.EXE to drop
a copy of itself as %Windows%\System32\Win32load.exe. It also uses this tool
to set the attribute of the copy to read-only.
Note: Since IPC$ is only available in NT-based machines, the worm fails to
propagate and drop copies of itself to Windows 9x/ME systems.
Backdoor routine
The worm notifies the hacker by connecting to the IRC server
master.leet-gamer.net and then joining the IRC channel #lc_breed. It uses
the default IRC port 6667 for this connection.
It gives remote control access to infected systems. It allows remote users
to connect to the infected machine and then download and execute files on
the compromised system.
It then downloads the file LCP_NETBIOS.DLL. This file is an NT-based system
service that installs the files in the system.
Denial of Service Tool
This worm can also allow an attacker to initiate Denial of Service attacks
to other infected users.
Description created: 10 hours, 15 minutes ago (Jan. 26, 2003 11:02:15 PM
GMT -0800)
Description updated: 9 hours, 58 minutes ago (Jan. 26, 2003 11:19:10 PM
GMT -0800)
********************************************************************
This Week's Sponsor: RTO Software - TScale
TScale increases Terminal Server capacity. Get 30-40% more users per
server to save $$$ and time. Add users now! - Not more servers.
If you?re using Citrix, you must learn about TScale!
Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=80
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
- » [windows2000] Virus Alert: Worm Netspree
