Win32/Hatob.E worm: NOD32)
This is a piece of malware that has worm, downloader, backdoor, keylogger and spy ability. It may arrive on a system after being exploited by a copy of the worm, residing on an infected machine in the network. After execution, the malware will inject a pice of code in kernel mode (by gaining acces to \Device\PhysicalMemory). It will make a copy of itself inside c:\windows\fonts\unwise_.exe (hidden), execute it and continue execution there. The original file it will then be deleted. The worm will register itself as a service unde the name: Windows Hosts Controller, and setting the information to "Enables Windows Host Controller Service. This service cannot be stopped." discouraging users from deleting it.
The following modifications will be made to the registry:HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = 0
(disables the firewall)HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\unwise_.exe = unwise_.exe:*:enabled:systemHKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = 1
(disables antivirus notifications)HKLM\SOFTWARE\Policies\Microsoft\MRT\DontReportInfectionInformation = 1
(disables infection-reports)HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2 = 1
(disables Windows Update)HKLM\Software\Microsoft\OLE\EnableDCOM = N
(disables DCOM functionality)HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 1HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort = fffe
(sets the maximum port value an application can request)HKLM\SYSTEM\CurrentControlSet\Services\Afd\Parameters\DisableRawSecurity = 1
(enables non-admin privileged application to create raw-sockets)HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection\SFCDisable = 4294967197
(disbales file protection, enabling remote attackers to view/modify any file he wants)HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server = fffe
- The worm has the ability to spread via
o USB drives
; when it detects a new drive, it will make a fresh copy of itself, on the USB drive in the following directory:
Recycler\S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx\file-name.exe. It will also create an autorun.inf file that will point to the new copy.
o Network shares
(SMB - the worm attacks PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, especially, to replicate); when it finds a new share, it enables a dictionary-attack, using very common passwords, like 1234, qwerty, password, etc. As soon as it gains acces, it will create a copy of itself, and a desktop.ini file, where it will, among others:
which will make the worms executable look like the Recycle Bin icon; opening the "recycle bin" will run the worm.
The worm uses the following exploits to replicate across the network: MS03-039
- Keylogger capabilities
The worm has keylogger capabilities; it logs every key pressed on the keyboard.
- Self - protection
Besides the fact that it is packed, the worm has the ability to detect some virtual-environments like VMWare, SandBoxie, or some tools usually used for reverse engineering/malware analysis like Honey, Snort, HoneyMule, etc. When it detects any of these, it will simply quit.
- Downloader capabilities
The worm also has the capabilitie to download other executables from the internet; also, it perioadically updates itself, by downloading new copies.
Some of the hosts the worm communicates with are:
- Spy ability
It can steal e-mail accounts (registry key: Software\Microsoft\Internet Account Manager\Accounts), it cand act as a sniffer (by creating a raw socket which intercepts all the packets enter/leave the specified interface), it has port scanner and it retreivesd data about the computer, like the CPU, installed RAM, Operating System, System directory, Computer name, current user, date, time, uptime, free space on hard-disks, internet bandwidth, number of USBs infected, etc.
Finally, the worm has the backdoor ability; this enables a remote attacker to connect to an infected computer and running various command on it (the worm may connect to an IRC channel before). Some of the tasks a remote attacker can do on the infected machine are: run cmd, kill/create processes, view e-mails, view pressed keys, create/remove directories, download/upload files, do a port scan, retreive the public ip, sniff network packets. These are corelated with the other capabilities of the malware (keylogger, spy, etc.)