Weekly report on viruses and intruders – Winxor.A, Breacuk.E and Asan.A.
Winxor.A is the first malicious code designed to exploit a vulnerability in the WINS service, which allows arbitrary code to be run on Windows 2003/XP/2000/NT/Me/98/95 servers. Winxor.A can also affect computers running Windows 2003/XP/2000/NT/Me/98/95.
Winxor.A connects to an IRC server and waits for control commands (such as download files or run programs). When the author of this malicious code specifies, Winxor.A scans IP addresses in order to find open ports. If these belong to servers that are affected by this security flaw, it installs an FTP server in port 36010 and uses it to transfer itself to these computers.
When it has reached a computer, Winxor.A carries out the following actions:
– It creates two files: CCEVTMNGR.EXE, which is a copy of itself, and CCSETMNGR.EXE, which is a component that looks for remote computers affected by the vulnerability in the WINS service in order to try and exploit it.
– It generates several entries in the Windows Registry in order to ensure it is run whenever the computer is started and thereby, register as a Windows service.
Breacuk.E is a worm that spreads via the P2P (peer-to-peer) file sharing program KaZaA. To do this, it follows the routine below:
– It creates a directory called SOFTWARE KINGS AND QUEENS in the Windows directory and shares it through KaZaA.
– In this directory it creates multiple copies of itself under attractive names, so that other users download them, thinking that they are games or other applications. However, when the downloaded file is run, the computer will be infected by Breacuk.E.
Breacuk.E deletes files with certain extensions, including: EXE, DLL, OCX and BMP, preventing certain applications from working correctly. What’s more, this malicious code causes problems on switching on the affected computer.
We are going to finish this week’s report with Asan.A, a worm that affects servers with a vulnerable version of the program phpBB installed, and that have already been attacked by a worm detected by Panda Software as PHP/Santy.A.worm. In this case, it removes the vulnerability from the server, although this could lead to loss of certain functionalities.
Additional information
– WINS (Windows Internet Name Service): a service that manages the names associated to the computers in a network and therefore, access and the possibility of working with them. A computer contains a database with the addresses in IP format (for example 125.15.0.32) and the common names assigned to each computer in the network (for example, SERVER1).