A new worm pretending to be news about Yasser Arafat was mass-mailed this weekend. Though ranked as a low-level threat to both corporate and home users, the worm exploits an unpatched flaw announced in MS04-032 on Oct. 12 and installs a backdoor.
The W32/Golten.worm e-mail has two attachments: an image file called arafat_1.emf; and arafat_2.emf, a specially crafted .emf [Enhanced Metafile format] file that installs this worm on vulnerable systems, Santa Clara, Calif.-based McAfee Inc. said on its Web site.
"The worm attempts to spread via the ADMIN$ share, connecting to accessible remote system via existing credentials or attempting to use weak administrator passwords to gain access," said McAfee. Multiple passwords contained in the virus body include: stgzs, security, oracle, secret, root, admin and password among many others that are just numbers and characters.
- Subject line: Latest News about Arafat !!!
- Body text: Hello Guys,
Latest News about Arafat!
The worm adds several files to the Windows system directory, modifies the path for the Alerter service and installs multiple backdoor components, McAfee said. Installed via the BackDoor-CJV dropper, those components include:
- comwsock.dll (BackDoor-CJV)
- dmsock.dll (BackDoor-CJV)
- inetcfg.h (BackDoor-CJV data file)
- mst.tlb (BackDoor-CJV data file)
- SCardSer.exe (BackDoor-CJV)
A service is created by the BackDoor-CJV dropper; it injects the dmsock.dll file into lsass.exe, svchost.exe, explorer.exe, inetinfo.exe, qq.exe, msimn.exe, iexplore.exe, outlook.exe, msmsgs.exe or msnmsgr.exe. The .dll listens on a random TCP port.
To mitigate the worm, filter executable attachments at the gateway, such as .exe, .pif, .scr, .com, .bat, .vbs, .lnk, and .hta. Update antivirus products and apply the MS04-032 patch. More information is available on the McAfee Web site.