Win32/Cuebot.J (CA.com)

Description Published: 2006. augusztus 13.
Description Modified: 2006. augusztus 13.

Threat Assessment

Overall Risk: Low
Wild: Low
Destructiveness: Medium
Pervasiveness: Medium

Type: Worm
Category: Win32
Also known as Win32.Cuebot.J

Description

Win32/Cuebot.J is a worm that spreads by exploiting the Microsoft Windows Server service buffer overflow vulnerability. The worm can also be used as a backdoor that allows its remote controller unauthorized access to the affected machine. It has been distributed as a 9,609-byte, MEW-packed, Win32 executable.

Method of Infection
When executed, Cuebot.J copies itself to %System%wgareg.exe, and creates the following service:

Service name: wgareg
Display name: Windows Genuine Advantage Registration Service
Path to executable: %System%wgareg.exe
Startup type: Automatic

Service description: ˝Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.˝

Note: ´%System%´ is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:WinntSystem32; for 95,98 and ME is C:WindowsSystem; and for XP is C:WindowsSystem32.

The worm also creates a mutex called wgareg to ensure only one copy runs at a time.

After installing itself, the worm starts an instance of explorer.exe and injects code into that process. This code deletes the original copy of the worm after it has run.

Method of Distribution
Via Exploit
In order to spread, the worm attempts to exploit the Microsoft Windows Server service buffer overflow vulnerability. The worm searches IP addresses for potential targets, checking for vulnerable systems via port 445. It only does this if it is commanded to through its IRC controlled backdoor (see Payload section below for additional detail).

For more information on this vulnerability, please visit:

http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34486
http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx

Backdoor Functionality
The worm can be used as an IRC-controlled backdoor, allowing a remote user to gain unauthorized access to the infected machine.

The worm connects to an IRC server on port 18067 and joins a particular channel. It then waits for instructions from the channel. The worm can be instructed to perform the following actions on the affected machine:

Scan for other machines to infect by exploiting the Microsoft Windows Server service buffer overflow vulnerability (see above).
Launch Denial of Service attacks
Download files using HTTP and execute them
Send instant messages via AIM
Remove itself from the affected machine
Update itself
Modifies System Settings via the Registry
The worm sets the following registry values:

HKLMsoftwaremicrosoftoleenabledcom = ˝n˝
HKLMsystemcurrentcontrolsetcontrollsa estrictanonymous = 1
HKLMsystemcurrentcontrolsetserviceslanmanserverparametersautoshareserver = 0x0
HKLMsystemcurrentcontrolsetserviceslanmanserverparametersautosharewks = 0x0

The first registry modification disables DCOM support in Windows.

The second registry modification disallows the enumeration of accounts from remote machines.

It also creates an empty file called %Windows%Debugdcpromo.log. This is a read-only file which can stop the Microsoft Windows LSASS buffer overflow vulnerability from being exploited. For more information on this vulnerability, please see:

http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=27886
http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

These actions are most likely put in place by the worm in order to shield the machine from further compromise by other worms known to spread via network shares and by exploiting particular vulnerabilities, including the LSASS vulnerability mentioned above and the Microsoft Windows RPCSS malformed DCOM message buffer overflow vulnerabilities. For more information on this, please see:

http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=25975

Note: ´%Windows%´ is a variable location. The malware determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:Winnt; for 95,98 and ME is C:Windows; and for XP is C:Windows.

Modifies System Security Settings
Cuebot.J sets the following registry entries in order to disable firewall and antivirus settings:

HKLMSoftwareMicrosoftSecurityCenterAntiVirusDisableNotify = ´1´
HKLMSoftwareMicrosoftSecurityCenterAntiVirusOverride = ´1´
HKLMSoftwareMicrosoftSecurityCenterFirewallDisableNotify = ´1´
HKLMSoftwareMicrosoftSecurityCenterFirewallOverride = ´1´
HKLMSoftwarePoliciesMicrosoftWindowsFirewallDomainProfileEnableFirewall = ´0´
HKLMSoftwarePoliciesMicrosoftWindowsFirewallStandardProfileEnableFirewall = ´0´

Disables Service
Win32/Cuebot.J stops and disables the SharedAccess service which has the effect of disabling the Windows Firewall on Windows 2000 and XP machines.

Analysis by Scott Molenkamp