Virus

W32/Remadm.A!worm

Analysis

This threat is a self-propagating Internet worm containing a remote administration package known as Remote Admin 2.0.
Remote Admin is not malicious by itself however, the spreading of this worm occurs without target permission or acknowledgement, and runs in a stealth method. The package of files used resembles the threat BAT/Mumu, with the use of Batch scripting installer files.
Remote Admin 2.0 Installation
The worm exists as a self-extracting .RAR archive file. Within the .RAR archive are these files -
AdmDll.dll (46,592 bytes)
icon.reg (274 bytes)
kcah.cmd (2,991 bytes)
msdos.exe (237,568 bytes)
msxml3b.dll (15 bytes)
msxml4b.dll (1,632 bytes)
NAER.CMD (346 bytes)
psexec.exe (143,360 bytes)
raddrv.dll (17,408 bytes)
REGEDIT4.EXE (122,880 bytes)
rs.cmd (145 bytes)
run.bat (491 bytes)
secfind.exe (45,056 bytes)
SecScan.exe (49,152 bytes)
star.cmd (2,967 bytes)
unrar.exe (475,869 bytes)
NetSvc.ini (1,001 bytes)
The installer Batch script is "run.bat". When this script is initiated remotely, it will open shares on IPC$, Admin$ and C:\, and initiate the command script "rs.cmd". The purpose of "rs.cmd" is to run the main installation of Remote Admin 2.0 with the configuration option of TCP port 5555 and to disable the system tray icon.
The installer "run.bat" then runs the command script "star.cmd", which inserts a majority of the registry modifications. The script "star.cmd" also contains the IP network scanning instructions used by the virus to locate targets, and it calls the command script "kcah.cmd". The script "kcah.cmd" contains the instructions to copy the virus to the share ADMIN$\SYSTEM32 as RAR.EXE.
The command script "kcah.cmd" contains instructions to terminate services and programs possibly running on the target system based on this list of names -
Ahnlab Task Scheduler
AlertManager
AVExch32Service
AvgCore
AvgFsh
AvgServ
AVUPDService
awhost32
ccEvtMgr
ccSetMgr
DefWatch
FSDFWD
McAfeeFramework
McShield
McTaskManager
mcupdmgr.exe
MCVSRte
MonSvcNT
navapsvc
Network Associates Log Service
NSCTOP
Outbreak Manager
SAVFMSE
SAVScan
Symantec AntiVirus Client
Symantec Core LC
V3MonNT
V3MonSvc
VisNetic AntiVirus Plug-in
Loading at Windows Startup
When this remote access package is installed, numerous registry keys are created related to the operation of the remote administration package -
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETSVC\
"NextInstance" = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETSVC\0000\
"Class" = LegacyDriver
"ClassGUID" = {8ECC055D-047F-11D1-A537-0000F8753ED1}
"ConfigFlags" = 00, 00, 00, 00
"DeviceDesc" = NetSvc
"Legacy" = 01, 00, 00, 00
"Service" = NetSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETSVC\0000\Control\
"*NewlyCreated*" = 00, 00, 00, 00
"ActiveService" = NetSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\
"NextInstance" = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000\
"Class" = LegacyDriver
"ClassGUID" = {8ECC055D-047F-11D1-A537-0000F8753ED1}
"ConfigFlags" = 00, 00, 00, 00
"DeviceDesc" = Remote Administrator Service
"Legacy" = 01, 00, 00, 00
"Service" = r_server
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000\Control\
"*NewlyCreated*" = 00, 00, 00, 00
"ActiveService" = r_server
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetSvc\
"DisplayName" = NetSvc
"ErrorControl" = 01, 00, 00, 00
"FailureActions" = ( hex values )
"ImagePath" = C:\WINNT\system32\NetSvc.exe
"ObjectName" = LocalSystem
"Start" = 02, 00, 00, 00
"Type" = 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetSvc\Enum\
"0" = Root\LEGACY_NETSVC\0000
"Count" = 01, 00, 00, 00
"NextInstance" = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetSvc\Parameters\
"AppDirectory" = C:\WINNT\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\
"Application" = C:\WINNT\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetSvc.exe
"AppParameters" = /u C:\WINNT\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\NetSvc.ini
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetSvc\Security\
"Security" = ( hex values )
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\r_server\
"DisplayName" = Remote Administrator Service
"ErrorControl" = 01, 00, 00, 00
"ImagePath" = "C:\IN\msdos.exe" /service
"ObjectName" = LocalSystem
"Start" = 02, 00, 00, 00
"Type" = 10, 01, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\r_server\Enum\
"0" = Root\LEGACY_R_SERVER\0000
"Count" = 01, 00, 00, 00
"NextInstance" = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\r_server\Security\
"Security" = ( hex values )
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\
"DisableTrayIcon" = 01, 00, 00, 00
"Parameter" = 26, 27, 37, 99, DE, 1A, 00, 58, CC, 1D, AF, 36, 0B, A5, E5, A1
"Port" = B3, 15, 00, 00
CLSID Folder Name Trick
The worm creates a folder in the Windows folder named -
.{21EC2020-3AEA-1069-A2DD-08002B30309D}
This is so that when a user browses to this folder using Windows Explorer, the computer will not display the folder by that name, but instead the CLSID reference which is "Control Panel".

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option