WORM_GOLTEN.A

WORM_GOLTEN.A is a memory-resident network worm. It has no mass-mailing capabilities, but may have been mass-mailed to specific email addresses instead. The email message contains two .EMF file attachments: one shows the burial of Palestinian leader Yasser Arafat and the other contains code that exploits a Microsoft XP vulnerability. The worm propagates via network shares and attempts to connect to network shared folders. It uses a list of user names and passwords to gain access to a machines, to establish a network connection and execute a copy of itself in the accessed network share. This worm runs on Windows 2000 and XP, and is currently spreading in-the-wild.



Upon execution, this worm drops the following files in the Windows system folder:

* ALERTER.EXE - main component and installer
* COMWSOCK.DLL
* DMSOCK.DLL
* IETCOM.DLL
* SPTRES.DLL
* SCARDSER.EXE - installs .DLL (Dynamic Link Library) files that inject this worm into LSASS.EXE and IEXPLORE.EXE

It also adds a registry entry that allows it to automatically execute at every system startup, and installs the following .DLL files:

* COMWSCOK.DLL
* DMSOCK.DLL
* IETCOM.DLL
* SPTRES.DLL

These .DLL files inject this worm into the following processes:

* LSASS.EXE
* EXPLORER.EXE

The .DLL files download other components from a remote location, and are responsible for the propagation of this worm.

The worm also adds a registry entry that initiates the download of a remote file, which is saved as DMSTI.EXE.

WORM_GOLTEN.A propagates through network shares and attempts to connect and execute a copy of itself in the following default network folders:

* ADMIN$
* IPC$

It also installs a service named NETLOG.

This worm uses the following user names and passwords to gain access to machines connected on the same network:

!@#$
!@#$%
!@#$%
~!@#
000000
00000000
111
111111
11111111
12
123
123!@#
1234
1234!@#$
12345
12345!@#$%
123456
1234567
12345678
54321
654321
888888
88888888
admin
fan@ing*
oracle
pass
passwd
password
root
secret
security
stgzs
super

The worm may have been mass-mailed to specific email addresses. The email arrives with the following:

Subject: Latest News about Arafat!!!
Message body:
Hello guys!
Latest news about Arafat!
Unimaginable!!!!!

The email also contains two .EMF file attachments: ARAFAT_1.EMF is a .JPG file showing the burial of Palestinian leader Yasser Arafat, and ARAFAT_2.EMF contains exploit code that uses the Microsoft Windows XP Metafile Heap Overflow vulnerability. When opened, the file drops this worm into a system. Read more information on this vulnerability.

If you would like to scan your computer for WORM_GOLTEN.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_GOLTEN.A is detected and cleaned by Trend Micro pattern file 2.247.03 and above.