Security 10808 Published by

Clutch (Thanks) forward the follow news from IISAnswers to me:

I am posting a message about a new variant of the Code Red virus that has started circulating. This one is much worse and if you are infected, probably ought to reformat.

This morning, AFAIK, a new Code Red variant was released.



Ok, here's the latest on this new variant.

1. It makes a copy of CMD.EXE called ROOT.EXE in the;

inetpubscripts

and

program filescommon filessystemmsadc

directories. Does this on both drive C: and D: (doesn't fail if D: doesn't exist).

2. It then runs its attack program code to infect itself upon numerous other boxes. This is done randomly, although there is a bias to attack boxes that are part of the same class A as infected attacker (so it hits your own boxes sooner rather than later). Attack code runs for 24 hours, 48 hours on Chinese language systems.

3. After attack code runs (and it seems to be based on clock ticks, not date), it then writes out a Trojan.

File Explorer.exe (8192bytes or 7K as displayed by Windows) is dropped (from the code in the original attacking URL) to the root of drive C: and D: (again, doesn't matter if D: doesn't exist).

4. The system is then rebooted (probably a forced reboot).

5. When the system restarts, it loads the trojan Explorer.exe from the root directory on the boot drive. This code then does several things;

a) Launches the real Explorer.exe, so the system looks normal.

b) Sets SFCDisable in hklmsoftwaremicrosoftwindows
ntcurrentversionwinlogon to some undocumented value. Presumably this disables Windows File Protection (so critical files could be overwritten)

c) Creates two virtual directories (via the registry) in hklmsystemcurrentcontrolsetservicesw3svcparametersvirtual roots. Called C and D, they are mapped to the root directories of the two drives and permissions are established in the virtual directory to allow script, read, and write access as well as setting execute permissions to scripts and executables.

d) goes into an endless sleep loop.

The end result of all of this action is to leave your box wide open to remote connection and total compromise.

Unlike Code Red, this worm doesn't attack any single target at any point, although its attack strength seems to be much higher (it launches 300 threads right off, although some may only launch 100), so its propagation seems much higher.

The attack only works properly on Windows 2000 systems (preliminary analysis). ICSA Labs tested against an NT 4.0/IIS 4.0/SP3 box and received a standard error message. Reports from subscribers suggest that XP IIS 5.1 RC1 is invulnerable also. Its expected that it works on PWS and OWS equally to IIS (all on W2K).

Its obviously a short-lived attack, at least the process of collecting victims. What would be done with them once collected is another story. No attempt is made by the worm to send anything home, although detecting compromised boxes is far too easy (very
unfortunately) for anyone outside your network.

Cleaning a compromised box should really be done by reformatting. Although logging is left on for the new virtual directories created (meaning you'd see access in your IIS logs), there's really no way to be sure that files haven't been implanted to leave other backdoors (not as part of this worm, but as part of the use of the opening it creates).

Credits:

The bulk of the analysis was done by Nick Fitzgerald of Virus-L (and friends) and Roger Thompson of TruSecure. Additional help came from Bruce Hughes of the ICSA Labs.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

---------------------------------
Now Registering for IIS FastTrack
http:/www.iistraining.com

Brett Hill - IISAnswers.com
brett@iisanswers.com (303) 543-7502
MCSE MCT A+ Net+ CIW-TT