w32/Graps worm/trojan Last Updated 7/29/03 12:50pm

CIT has recieved reports of w32/Graps infections within the NIH. w32/Graps is a remote access trojan spreads through open or weak admin shares on Windows machines. It tries to copy itself to the default administrator share, ADMIN$. The worm tries to gain access to the ADMIN$ share on remote systems by trying weak username/password combinations or by using the current credentials used to run the worm on an infected host.

The worm attempts to copy 3 files to the remote system:

• mwd.exe (a copy of the worm)
  
• psexec.exe (RemoteProcessLaunch application)
  
• mswinsk.ocx (innocent Microsoft Winsock Control DLL)
  

When the worm infects a machine it creates a registry run key to load itself at system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Management Instrumentation" = %worm path%\mwd.exe

Three batch files are created in the local directory:

• wds.bat
• wds2.bat
• wds3.bat

If the worm is successful in writing to the admin share, PSEXEC.EXE is used to execute the worm remotely and the ADMIN$ share is then deleted. The worm scan scans the local class a subnet for other systems to infect. The worm creates a remote access server by listening on TCP port 45836.

This server allows a remote attacker to perform the following tasks:

• Retrieve the following information
• Uptime
• Download speed
• CPU information
• RAM
• Disk Usage
• Specify a target IP address to ICMP/HTTP flood
• Download/execute files
• Internet Relay Chat (IRC) functions
• IP Port Redirection (to create proxies)

This worm is detected and removed by VirusScan with the current 4280 Dat/Superdat or later and by Syamntec Antivirus using the current definitions (7/23/2003) or later.

The latest Dat/SuperDat is available here. Use the LiveUpdate feature of Symantec Antivirus to update to the latest definitions from Symantec.

For more information see:

http://vil.nai.com/vil/content/v_100467.htm from NAI http://vil.nai.com.