Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

More info on DarkMachine

From: Markus De Shon <mdeshon () secureworks net>
Date: Wed, 17 Oct 2001 13:35:57 -0400 (EDT)

We have executed the attachment in a controlled environment with Regmon
and Filemon running to track Registry and File accesses.

Regmon shows that the worm changed two registry keys:

739     59.36779760     Userconf        SetValueEx
HKLM\Software\Description\Microsoft\Rpc\UuidPersistentData\ClockSequence 
SUCCESS 0xA2E   

740     59.36783360     Userconf        SetValueEx
HKLM\Software\Description\Microsoft\Rpc\UuidPersistentData\LastTimeAllocated
SUCCESS 40 D3 9C 15 EB C

These don't appear to be hostile behavior--these keys seem to be changed
by other programs as well.

It did access, but apparently did not attempt to write to, WIN.INI.

It created a temporary binary file at C:\WINDOWS\TEMP\~DFE855.TMP (this
was a Win98 machine), which we're still looking at to see what it's
function is.  It is not a copy of the worm, as it is significantly
smaller.  It contains the following text strings:

R\0o\0o\0t\0 \0E\0n\0t\0r\0y
rn1org

It creates the following files:

411     0.00014800      Userconf        Write   C:\COMMON.EXE   SUCCESS
Offset: 0 Length: 10240 

428     0.00018800      Userconf        Write   C:\REDE.EXE     SUCCESS
Offset: 0 Length: 10240 

445     0.00018960      Userconf        Write   C:\SI.EXE       SUCCESS
Offset: 0 Length: 10240 

462     0.00018480      Userconf        Write   C:\USERCONF.EXE SUCCESS
Offset: 0 Length: 10240 

479     0.00018320      Userconf        Write   C:\DISK.EXE     SUCCESS
Offset: 0 Length: 10240 

The files other than DISK.EXE are already known to be possible names of
email attachments.  All the files are identical copies of the worm.

The worm then launches Outlook and attempts to send copies of itself out.

I have forwarded copies of the worm to McAfee and CERT for further
analysis.  So far, from our analysis, we have only found that the worm
propagates itself.  Further analysis will be necessary to determine if
there are any other effects.

   Markus De Shon, Ph.D., GCIA #0227  <mdeshon () secureworks net>   
   Research Manager --  SecureWorks, Inc.  -- 404 327-6339x127


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: