W32/Graps.worm

This page shows details and results of our analysis on the malware W32/Graps.worm

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5600.1067

File Length

53,248 bytes

Description Added

2003-07-07

Description Modified

2004-03-17

Malware Proliferation

Characteristics

This is a remote access trojan, and share jumping worm. It propagates via the default administrator share, admin$. When run, the worm creates a registry run key to load itself at system startup:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "Windows Management Instrumentation" = %worm path%\mwd.exe
Three batch files are created in the local directory:
  • wds.bat
  • wds2.bat
  • wds3.bat
These batch files try to gain access to the ADMIN$ share on remote systems by trying weak username/password combinations. If this share is accessible, either because (1) the system allows for a weak user/pass or (2) the current credentials are sufficient for admin access, the worm attempts to copy 3 files to the remote system:
  1. mwd.exe (a copy of the worm)
  2. psexec.exe (RemoteProcessLaunch application)
  3. mswinsk.ocx (innocent Microsoft Winsock Control DLL)
PSEXEC.EXE is used to execute the worm remotely and the ADMIN$ share is then deleted.

The worm scan scans the local class a subnet (#.*.*.*) for target systems. The worm creates a remote access server by listening on TCP port 45836. This server allows a remote attacker to perform the following tasks:

  • Retrieve the following information
    • Uptime
    • Download speed
    • CPU information
    • RAM
    • Disk Usage
  • Specify a target IP address to ICMP/HTTP flood
  • Download/execute files
  • Internet Relay Chat (IRC) functions
  • IP Port Redirection (to create proxies)

Symptoms

Compromised system attempting to connect to the following addresses
  • frozenhighlands.skiebus.com
  • frozenhighlands.rock-slides.com
  • jjljsmlmjo.no-ip.com
  • llqrlmspmm.dyndns.org
  • qplfdempqo.dyndns.org

Method of Infection

This worm spreads via the ADMIN$ share on Windows NT/2K/XP systems.

Removal

All Users:
Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.

Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.
  • net share c$ /delete
  • net share d$ /delete
  • net share e$ /delete
  • net share ipc$ /delete
  • net share admin$ /delete

Additional Windows ME/XP removal considerations

Variants