|
|
 |
Accueil | Resources | Public Advisories/Alerts
| Alerts
| Reference: |
CERT-IST/AL-2007.001 |
| Version: |
1.0 |
| Version date: |
02 January 2007 |
|
Vulnerability Classification
| Risk: |
 |
high |
|
| Impact: |
Get access
Denial of Service |
| Confidence: |
Vendor-acknowledged |
| Attack expertise: |
Beginner |
| Attack requirements: |
Remote (no account) over a standard service |
|
System Information
| Affected Platform(s): |
- Microsoft Windows 9x
- Microsoft Windows Millennium Edition
- Microsoft Windows NT
- Microsoft Windows XP
- Microsoft Windows 2000
|
| Affected Software(s): |
| |
| Impacted products |
Description
| Publication context: |
|
| This Cert-IST alert has been first released on Sunday 31-Dec-2006 to the subscribers of the "7/7 watch&warn" service |
|
| Problem description: |
|
During the New Year week-end, the "Luder" worm and its variants were spreading over Internet. This is a classical "mass-mailer" worm that looks as an English Happy Year card e-mail with a malicious executable file as attachment.
If the malicious attachment is run, the worm installs itself on the system, and then, attempts to connect to a web site (81.177.3.175 for the initial code) in order to download other malwares and to contact the SMTP server (208.36.123.14) . The worm also attempts to stop security processes (anti-virus, personal firewall) and to infect executable files.
Cert-IST has released an alert about this worm and its variants because :- its prevalence is quite high (Cert-IST has received several instances of this worm),
- it may have infected the corporate networks without being detected during the week-end (a test performed by Cert-IST on Sunday morning showed that 30% of anti-virus available on "www.virustotal.com" did not detected the worm),
- it is still not detected by some anti-virus editors.
Note :- This worm is also named : "Nuwar" (McAfee), "Nuwar.AY" (Trend Micro), "Dref-U"(Sophos), "Mixor.Q" (Symantec).
- The first version of the "Luder" has been discovered on 29-dec-2006.
|
|
| Diagnostic: |
|
Here are the visible characteristics of the "Luder" worm that allows to detect it on an infected system :
1°) E-mail :
- Sender : Spoofed address
- Subject : One subject among the following ones :
- Annual Fun Forecast!
- Baby New Year!
- Best Wishes For A Happy New Year!
- Fun 2007!
- Fun Filled New Year!
- Happiness And Continued Success!
- Happiness And Success!
- Happiness In Everything!
- Happy 2007!
- Happy New Year!
- Happy Times And Happy Memories!
- May Your Dreams Come True!
- New Hopes And New Beginnings!
- New Year... Happy Year!
- Promises Of Happy Times!
- Raising A Toast To Happy Times!
- Scale Greater Heights!
- Sparkling Happiness And Good Times!
- Warm New Year Hug!
- Warmest Wishes For New Year!
- Welcome 2007!
- Wish You Smiles And Good Cheer!
- Wishing You Happiness!
- Wishing You Happy New Year!
- Body : [Empty]
- Attachment : One filename among the following ones :
- postcard.exe
- Postcard.exe
- greeting card.exe
- Greeting Card.exe
- greeting postcard.exe
- Greeting Postcard.exe
2°) Network traffic :
- Network port(s) opened : NA
- Site(s)/Server(s) contacted :
- 81.177.3.175 (port 80)
- 208.36.123.14 (port 25)
- E-mail address(es) contacted : NA
3°) Systems modifications :
- File(s) added :
- %System%ppl.exe (where %System% defines "C:WindowsSystem" (Windows 95/98/Me), "C:WinntSystem32" (Windows NT/2000) or "C:WindowsSystem32" (Windows XP))
- Registry key(s) added or changed :
- "agent"="%System%ppl.exe" value added in the keys :
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
- "Start" = "4" value modified in the key :
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess
|
|
Solution
01 - Solution to the "Luder" worm infection
Update your anti-virus software :- Use the anti-virus automatic update feature.
- Or use the following instructions for a manual update.
- TrendMicro update - Signature file 4.155.00 or later
- Symantec update - Use "Intelligent Updater" (see URL below) or "LiveUpdate" updated30/12/2006
- Sophos Update - IDE file for that specific worm
- NAI update - DAT file 4930 or later, to be released on 02/01/2007
- F-Secure update - update date : 17/02/2006 or use the following updates
02 - Workaround regarding the "Luder" worm spreading
- Set filters on mail servers to intercept e-mails that match the patterns listed in the "diagnostic" section.
- Update the SNORT IDS signatures :
- Licensed VRT signature : SID 9425
- Public signature : (See the SANS link below)
- Ensure that mobile devices (e.g. laptops) are not infected before connecting them to the corporate network.
- Public SNORT signature (source : SANS)
|
|
Additional Resources
- F-Secure document regarding the "Luder" worm
- F-Secure security note (blog) dated December 31, 2006
- NAI document regarding the "Luder" worm
- SANS security note dated December 31, 2006
- Sophos document regarding the "Luder" worm
- Symantec document regarding the "Luder" worm
- TrendMicro document regarding the "Luder" worm
|
|
History
|
|
|
|
|
|
|
|
|
|
Version |
|
|
|
Comment |
|
|
|
Date |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1.0 |
|
|
|
Alert creation |
|
|
|
02 January 2007 |
|
|
|
|
|
|
|
|
|
|
|
|
|
