The worm's file is polymorphically encrypted. It means that every copy of the worm is different from each other. The constant part is only the size of the worm's executable file - 57856 bytes.

After the worm's file is run it goes through the polymorphic decryptor and then proceeds to the static part of the code that allocates a memory buffer and extracts the main worm's code into it. Then the control is passed directly to the extracted worm's code.

After getting control, the worm creates a few threads. One thread scans for vulnerable computers (on TCP ports 139 and 445) and sends exploits there in order to infect them. The worm also tries to bruteforce network share passwords by performing a dictionary attack on them. The following passwords are used:

00
000
0000
00000
000000
0000000
00000000
1
12
123
1234
12345
123456
1234567
12345678
123456789
abc123
access
adm
Admin
alpha
anon
anonymous
asdfgh
backdoor
backup
beta
bin
coffee
computer
crew
database
debug
default
demo
go
guest
hello
install
internet
login
mail
manager
money
monitor
network
new
newpass
nick
nobody
nopass
oracle
pass
passwd
password
poiuytre
private
public
qwerty
random
real
remote
root
ruler
secret
secure
security
server
setup
shadow
shit
sql
super
sys
system
telnet
temp
test
test1
test2
visitor
windows
www
X

The other thread scans for .HTM and .HTML files on all local hard disks and infects them by prepending a reference to worm's CLSID there. The worm creates a different CLSID for every copy of itself that it creates on the hard drive. The number of these copies can be quite large. The names of the worm's files are random. For example:

• bzehxvnz.exe
• hwexrtne.exe
• jbnshhqj.exe
• jjlenkbt.exe
• tsbjbtvn.exe

One of the remaining threads performs a DoS (Denial of Service) attack on three websites located in Estonia.


The following TCP ports used during the DoS attack:

• 22
• 80
• 97
• 443

Last update 01 March 2007

 

TOP