The CERT for France Industry, Services and Tertiary sector

Members area [version française]

HOME PRESENTATION PUBLICATIONS SUBSCRIPTION CONTACTS FAQ SEARCH

Security Advisory

Public Advisories/Alerts Articles by Cert-IST Useful links In the Press - Events Printable version		Accueil | Resources | Public Advisories/Alerts | Security Advisories "Kerbot" worm on Microsoft Windows systems Reference: CERT-IST/AV-2008.467 Version: 1.1 Version date: 07 November 2008 Vulnerability Classification Risk: very-high Impact: Take control Vulnerability category: Worm Confidence: Vendor-acknowledged Attack expertise: Beginner Attack requirements: Remote (no account) over a standard service System Information Affected Platform(s): Microsoft Windows 9x Microsoft Windows Millennium Edition Microsoft Windows NT Microsoft Windows XP Microsoft Windows 2000 Microsoft Windows Vista Microsoft Windows Server 2003 Affected Software(s): NA Description Problem description: "Kerbot" is a computer worm that spreads: through "Peer-to-Peer" networks, through the local networks of the infected systems by exploiting the RPC vulnerability in the "Server" service on Microsoft Windows systems, described in the CERT-IST/AV-2008.460 advisory. "Kerbot" attempts to lower security settings and opens a backdoor on the infected systems. Note : "Kerbot" is also knowwn as "Kernelbot".  Technical information: In addition to the overall behaviour already described, on the compromised computer "Kerbot": attempts to end some processes, prevents automatic execution of certain programs when Windows starts, registers itself as Windows services, download and install the eMule P2P client program, modify the "hosts" file to prevent access to various domains. Diagnostic: Here are the visible characteristics of the "Kerbot" worm that allows to detect it on an infected system :  1°) Network traffic :   Network port(s) opened :  NA  Site(s)/Server(s) contacted :  [http://]121.10.114.10 [http://]121.10.114.222 [http://]freegoogla.vicp.net [http://]zz.ushealthmart.com [http://]st.ushealthmart.com  E-mail address(es) contacted :  NA  2°) Systems modifications :   File(s) added :  %System%\compbatc.sys %System%\compbatc.zip %System%\compbatc.exe %System%\compbatc.dll %System%\compbatc.ocx %System%\compbatc.ini  Registry key(s) changed:  HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\"UDiskAccess" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\"ExecAccess" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\"IEProtAccess" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\"LeakAccess" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\"MonAccess" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon\"SiteAccess" = "0"  Registry key(s) added:  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\compbatc HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\compbatcDrv HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[8 NUMBERS]  Registry key(s) deleted:  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"360Safetray" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"360Safebox" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"360Antiarp" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"runeip" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Iparmor" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal Solution Solution to the "Kerbot" worm infection Update your anti-virus software : Use the anti-virus automatic update feature. Or use the following instructions for a manual update. TrendMicro update - Signature file 5.637.00 or later http://www.trendmicro.com/ftp/products/pattern/lpt637.zip http://www.trendmicro.com/ftp/products/pattern/lpt637.tar Symantec update - Use "Intelligent Updater" (see URL below) or "LiveUpdate" updated 05/11/2008 http://securityresponse.symantec.com/avcenter/defs.download.html Sophos Update - IDE file for that specific worm http://www.sophos.com/downloads/ide/435_ides.zip NAI update - DAT file 5423 or later, to be released on 03/11/2008 http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.ZIP http://download.nai.com/products/mcafee-avert/daily_dats/SDATDAILY.EXE Computer Associates updates http://www3.ca.com/support/vicdownload/ Standard vulnerability IDs CVE: CVE-2008-4250 Additional Resources Sophos document regarding the "Kerbot" worm http://www.sophos.com/security/analyses/viruses-and-spyware/trojkerbota.html CA document regarding the "Kerbot" worm http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75435 NAI document regarding the "Kerbot" worm http://vil.nai.com/vil/content/v_152820.htm Symantec document regarding the "Kerbot" worm http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-110315-4059-99 TrendMicro document regarding the "Kerbot" worm http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KERBOT.A History Version Comment Date 1.1 Computer Associates detection signatures 07 November 2008 1.0 Advisory creation 05 November 2008

Copyright © 1999-2012 Cert-IST | Legal Notice | Sitemap