w32/Graps worm/trojan Last Updated 7/29/03 12:50pm
CIT has recieved reports of w32/Graps infections within the NIH. w32/Graps is a remote access trojan spreads through open or weak admin shares on Windows machines. It tries to copy itself to the default administrator share, ADMIN$. The worm tries to gain access to the ADMIN$ share on remote systems by trying weak username/password combinations or by using the current credentials used to run the worm on an infected host.
The worm attempts to copy 3 files to the remote system:
- mwd.exe (a copy of the worm)
- psexec.exe (RemoteProcessLaunch application)
- mswinsk.ocx (innocent Microsoft Winsock Control DLL)
When the worm infects a machine it creates a registry run key to load itself at system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Management Instrumentation" = %worm path%\mwd.exe
Three batch files are created in the local directory:
- wds.bat
- wds2.bat
- wds3.bat
If the worm is successful in writing to the admin share, PSEXEC.EXE is used to execute the worm remotely and the ADMIN$ share is then deleted. The worm scan scans the local class a subnet for other systems to infect. The worm creates a remote access server by listening on TCP port 45836.
This server allows a remote attacker to perform the following tasks:
- Retrieve the following information
- Uptime
- Download speed
- CPU information
- RAM
- Disk Usage
- Specify a target IP address to ICMP/HTTP flood
- Download/execute files
- Internet Relay Chat (IRC) functions
- IP Port Redirection (to create proxies)
This worm is detected and removed by VirusScan with the current 4280 Dat/Superdat or later and by Syamntec Antivirus using the current definitions (7/23/2003) or later.
The latest Dat/SuperDat is available here. Use the LiveUpdate feature of Symantec Antivirus to update to the latest definitions from Symantec.
For more information see:
http://vil.nai.com/vil/content/v_100467.htm from NAI
http://vil.nai.com.
|