Нет ответов в данной теме

[News Robot]

January 14, 2008

Doctor Web notifies users of the Win32.HLLW.Shadow.based worm
spreading over the Internet (this worm is also known as
Conficker.worm, Downadup and Kido). There are several ways for the
worm to get into a system. One of them is to exploit vulnerabilities
found in all versions of Windows starting with Windows 2000 and up to
Windows 7. Win32.HLLW.Shadow.based also features a polymorphic packer
and therefore is very hard to analyze.


Spreading

There are several ways in which Win32.HLLW.Shadow.based is spread.
First of all it uses removable and network disks taking advantage of
the autorun feature of Windows. The malicious file has a random name
and is placed in a folder that is created as follows:
RECYCLERS-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx As the recycle
bin of Windows features the same folder structure, it allows the
malware to remain unnoticed.

The worm can also spread over a network using the Windows SMB
protocol. Win32.HLLW.Shadow.based uses its dictionary and most popular
passwords to get a remote access to the target machine. If it manages
to crack the password, it will copy itself into the system directory
of the victim computer and create a task to be launched in a certain
period of time.

Finally it can exploit vulnerabilities that are closed with a critical
update described in the Microsoft security bulletin MS08-067. A target
machine receives a special request that causes a buffer overflow. As
the result the attacked computer downloads a malicious file over HTTP.


Actions performed by the worm after it has been launched.

When launched Win32.HLLW.Shadow.based checks which process it uses. If
the process is rundll32.exe, the worm will inject its code in the
svchost.exe and explorer.exe processes. After that it will open a
current folder in the Explorer and stop working.

If Win32.HLLW.Shadow.based finds that the process is not rundll32.exe,
it will replicate itself using a random name and will register its
copy as a Windows service and add it to the autorun list to make sure
it will be launched after Windows is restarted. It will also stop the
Windows Update service and install its own HTTP server to spread
itself over a network.

If the worm detects that it uses the svchost.exe process launched as a
DNS client, tt will inject its code in DNS routines to block access to
web-sites of most anti-virus vendors. Win32.HLLW.Shadow.based features
a driver that allows it to modify the tcpip.sys file in the memory to
increase the allowed number of simultaneous network connections.


The mission of Win32.HLLW.Shadow.based

The malicious program is designed to create another botnet. The
running worm makes requests to download executable files from special
servers and installs and launches these programs on target computers.
Cyber-criminals may plan to use the botnet to generate profit or
choose to sell it. Alas botnets are in high-demand nowadays.


Curing a system of Win32.HLLW.Shadow.based and avoiding the infection

1. Install patches provided with the following security bulletins
from Microsoft:

* MS08-067
(http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx);

* MS08-068
(http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx);

* MS09-001
(http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx).

2. Disconnect a computer from the local area network and the
Internet. If computers are connected to a local network, connect a
cured machine to the network only when all its hosts are cured.

3. Use a malware-free machine to download the latest version of
Dr.Web CureIt! and scan all hard drives to cure the system.

To avoid the infection disable autorun for removable drives, do not
disable automatic updating and use strong passwords.


Capabilities of Dr.Web anti-virus for curing a system of
Win32.HLLW.Shadow.based

Win32.HLLW.Shadow.based makes Windows set security attributes for its
files and registry branches so they can’t be read using standard
tools. Curing is possible only using Dr.Web scanner for Windows 4.44
or later. The scanner features the Dr.Web Shield™ anti-rootkit driver
that provides the scanner with full access to files and registry
branches protected in such a way.

Dr.Web anti-virus for Windows 4.44 and 5.0 also feature the SpIDer
Guard monitor. If the latest updates of the virus database are used,
the monitor will block all attempts of Win32.HLLW.Shadow.based to
install in a system.


View the article