Alias:
Type:Worm 
Size:74,752 Bytes 
Origin:unknown 
Date:05-10-2004 
Damage:Uses LSASS security hole (Microsoft Security Bulletin MS04-011) 
VDF Version:6.25.00.60 
Danger:Low 
Distribution:High 

General DescriptionThe worm makes sure that only one version of itself is active, using a Mutex (billgate). It copies itself as %WinDIR%\napatch.exe and makes the following entry in Windows registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"napatch.exe"="%WinDIR%\napatch.exe"

The Lsass.exe process will be finished when the worm uses the Windows LSASS security hole. Windows sends a message and shuts the system down in a minute. The file C:\win2.log contains the IP addresses and the number of the infected computer.

Technical DetailsIt starts an FTP server over TCP Port 5554. This server is used for spreading the worm to other systems. It collects IP addresses from the infected systems and generates new IP addresses, similar to the ones it gathered.

It contacts on TCP Port 445 other systems, which did not have the LSASS security hole fixed. When connected, it sends to it a Shell Code to open the TCP Port 9996. After that, it will use TCP Port 5554 to send a copy of the worm to the clean computer. This copy has a name of 4 or 5 characters, followed by _up.exe.
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .