Description
Win32/Cuebot.J is a worm that spreads by exploiting the Microsoft Windows Server service buffer overflow vulnerability. The worm can also be used as a backdoor that allows its remote controller unauthorized access to the affected machine. It has been distributed as a 9,609-byte, MEW-packed, Win32 executable.
Back to top
Method of Infection
When executed, Cuebot.J copies itself to %System%\wgareg.exe, and creates the following service:
Service name: wgareg
Display name: Windows Genuine Advantage Registration Service
Path to executable: %System%\wgareg.exe
Startup type: Automatic
Service description: "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability."
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
The worm also creates a mutex called wgareg to ensure only one copy runs at a time.
After installing itself, the worm starts an instance of explorer.exe and injects code into that process. This code deletes the original copy of the worm after it has run.
Back to top
Payload
Backdoor Functionality
The worm can be used as an IRC-controlled backdoor, allowing a remote user to gain unauthorized access to the infected machine.
The worm connects to an IRC server on port 18067 and joins a particular channel. It then waits for instructions from the channel. The worm can be instructed to perform the following actions on the affected machine:
- Scan for other machines to infect by exploiting the Microsoft Windows Server service buffer overflow vulnerability (see above).
- Launch Denial of Service attacks
- Download files using HTTP and execute them
- Send instant messages via AIM
- Remove itself from the affected machine
- Update itself
Modifies System Settings via the Registry
The worm sets the following registry values:
HKLM\software\microsoft\ole\enabledcom = "n"
HKLM\system\currentcontrolset\control\lsa\restrictanonymous = 1
HKLM\system\currentcontrolset\services\lanmanserver\parameters\autoshareserver = 0x0
HKLM\system\currentcontrolset\services\lanmanserver\parameters\autosharewks = 0x0
The first registry modification disables DCOM support in Windows.
The second registry modification disallows the enumeration of accounts from remote machines.
It also creates an empty file called %Windows%\Debug\dcpromo.log. This is a read-only file which can stop the Microsoft Windows LSASS buffer overflow vulnerability from being exploited. For more information on this vulnerability, please see:
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=27886
http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx
These actions are most likely put in place by the worm in order to shield the machine from further compromise by other worms known to spread via network shares and by exploiting particular vulnerabilities, including the LSASS vulnerability mentioned above and the Microsoft Windows RPCSS malformed DCOM message buffer overflow vulnerabilities. For more information on this, please see:
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=25975
Note: '%Windows%' is a variable location. The malware determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Modifies System Security Settings
Cuebot.J sets the following registry entries in order to disable firewall and antivirus settings:
HKLM\Software\Microsoft\SecurityCenter\AntiVirusDisableNotify = '1'
HKLM\Software\Microsoft\SecurityCenter\AntiVirusOverride = '1'
HKLM\Software\Microsoft\SecurityCenter\FirewallDisableNotify = '1'
HKLM\Software\Microsoft\SecurityCenter\FirewallOverride = '1'
HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall = '0'
HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall = '0'
Disables Service
Win32/Cuebot.J stops and disables the SharedAccess service which has the effect of disabling the Windows Firewall on Windows 2000 and XP machines.
Analysis by Scott Molenkamp
Back to top