Virus:Worm/Deborm.Q.1
Date discovered:08/08/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:56.320 Bytes
MD5 checksum:82d72bbfbfbf98a60ebc2232e201b6d9
VDF version:6.19.0.13

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: W32.HLLW.Nebiwo
   •  Mcafee: W32/Deborm.worm
   •  Kaspersky: W32/Deborm.Q
   •  TrendMicro: WORM_DEBORM.Q
   •  F-Secure: W32/Deborm.Q
   •  Sophos: W32/Deborm-Q
   •  Panda: W32/Deborm.Q
   •  Grisoft: TrojanDropper.Newbiwo
   •  VirusBuster: Worm.Win32.Deborm.Q1
   •  Bitdefender: Win32.Worm.Deborm.A


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP

 Files The following files are created:

%TEMPDIR%\~%two-digit random character string%.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/Deborm.Q.3

%TEMPDIR%\~%two-digit random character string%.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/Deborm.R.3

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "NAV Live Update"="%malware execution directory%\%executed file%"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • %WINDIR%\Profiles\All Users\Start Menu\Programs\Startup
   • c:\windows\Start Menu\Programs\Startup
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
   • \WINNT\Profiles\All Users\Start Menu\Programs\Startup
   • \WINDOWS\Start Menu\Programs\Startup
   • \Documents and Settings\All Users\Start Menu\Programs\Startup


It uses the following login information in order to gain access to the remote machine:

– The following list of usernames:
   • Administrator
   • Guest
   • Owner



Exploit:
It makes use of the following Exploit:
– MS05-039 (Vulnerability in Plug and Play)


IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.


Slow down:
– It creates the following number of infection threads: 100
– Depending on your bandwidth you might determine a fall in your network speed. As the network activity for this malware is high you might notice it even if you have a broadband connection.
– Due to the multiple network threads created, an infected computer turns into a slow and barely usable machine.


Remote execution:
–It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function.

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Victor Tone on Monday, August 8, 2005
Description updated by Oliver Auerbach on Friday, August 26, 2005

Back . . . .