New worm targets recent Microsoft flaw

Golten masquerades as news about Yasser Arafat, exploits a flaw patched by Microsoft on Oct. 12.

A new worm pretending to be news about Yasser Arafat was mass-mailed this weekend. Though ranked as a low-level threat to both corporate and home users, the worm exploits an unpatched flaw announced in MS04-032 on Oct. 12 and installs a backdoor.

The W32/Golten.worm e-mail has two attachments: an image file called arafat_1.emf; and arafat_2.emf, a specially crafted .emf [Enhanced Metafile format] file that installs this worm on vulnerable systems, Santa Clara, Calif.-based McAfee Inc. said on its Web site.

"The worm attempts to spread via the ADMIN$ share, connecting to accessible remote system via existing credentials or attempting to use weak administrator passwords to gain access," said McAfee. Multiple passwords contained in the virus body include: stgzs, security, oracle, secret, root, admin and password among many others that are just numbers and characters.

  • Subject line: Latest News about Arafat !!!
  • Body text: Hello Guys,

    Latest News about Arafat!

    Unimaginable!!!!!!

The worm adds several files to the Windows system directory, modifies the path for the Alerter service and installs multiple backdoor components, McAfee said. Installed via the BackDoor-CJV dropper, those components include:

  • comwsock.dll (BackDoor-CJV)
  • dmsock.dll (BackDoor-CJV)
  • inetcfg.h (BackDoor-CJV data file)
  • mst.tlb (BackDoor-CJV data file)
  • SCardSer.exe (BackDoor-CJV)

A service is created by the BackDoor-CJV dropper; it injects the dmsock.dll file into lsass.exe, svchost.exe, explorer.exe, inetinfo.exe, qq.exe, msimn.exe, iexplore.exe, outlook.exe, msmsgs.exe or msnmsgr.exe. The .dll listens on a random TCP port.

To mitigate the worm, filter executable attachments at the gateway, such as .exe, .pif, .scr, .com, .bat, .vbs, .lnk, and .hta. Update antivirus products and apply the MS04-032 patch. More information is available on the McAfee Web site.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close