WORM_GOLTEN.A

Discussion in 'malware problems & news' started by Randy_Bell, Nov 20, 2004.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    WORM_GOLTEN.A is a memory-resident network worm. It has no mass-mailing capabilities, but may have been mass-mailed to specific email addresses instead. The email message contains two .EMF file attachments: one shows the burial of Palestinian leader Yasser Arafat and the other contains code that exploits a Microsoft XP vulnerability. The worm propagates via network shares and attempts to connect to network shared folders. It uses a list of user names and passwords to gain access to a machines, to establish a network connection and execute a copy of itself in the accessed network share. This worm runs on Windows 2000 and XP, and is currently spreading in-the-wild.



    Upon execution, this worm drops the following files in the Windows system folder:

    * ALERTER.EXE - main component and installer
    * COMWSOCK.DLL
    * DMSOCK.DLL
    * IETCOM.DLL
    * SPTRES.DLL
    * SCARDSER.EXE - installs .DLL (Dynamic Link Library) files that inject this worm into LSASS.EXE and IEXPLORE.EXE

    It also adds a registry entry that allows it to automatically execute at every system startup, and installs the following .DLL files:

    * COMWSCOK.DLL
    * DMSOCK.DLL
    * IETCOM.DLL
    * SPTRES.DLL

    These .DLL files inject this worm into the following processes:

    * LSASS.EXE
    * EXPLORER.EXE

    The .DLL files download other components from a remote location, and are responsible for the propagation of this worm.

    The worm also adds a registry entry that initiates the download of a remote file, which is saved as DMSTI.EXE.

    WORM_GOLTEN.A propagates through network shares and attempts to connect and execute a copy of itself in the following default network folders:

    * ADMIN$
    * IPC$

    It also installs a service named NETLOG.

    This worm uses the following user names and passwords to gain access to machines connected on the same network:

    !@#$
    !@#$%
    !@#$%
    ~!@#
    000000
    00000000
    111
    111111
    11111111
    12
    123
    123!@#
    1234
    1234!@#$
    12345
    12345!@#$%
    123456
    1234567
    12345678
    54321
    654321
    888888
    88888888
    admin
    fan@ing*
    oracle
    pass
    passwd
    password
    root
    secret
    security
    stgzs
    super

    The worm may have been mass-mailed to specific email addresses. The email arrives with the following:

    Subject: Latest News about Arafat!!!
    Message body:
    Hello guys!
    Latest news about Arafat!
    Unimaginable!!!!!

    The email also contains two .EMF file attachments: ARAFAT_1.EMF is a .JPG file showing the burial of Palestinian leader Yasser Arafat, and ARAFAT_2.EMF contains exploit code that uses the Microsoft Windows XP Metafile Heap Overflow vulnerability. When opened, the file drops this worm into a system. Read more information on this vulnerability.

    If you would like to scan your computer for WORM_GOLTEN.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

    WORM_GOLTEN.A is detected and cleaned by Trend Micro pattern file 2.247.03 and above.
     
Thread Status:
Not open for further replies.