The Web    Google
Virus Alert: Worm Spreads Via Hidden System Shares

Virus Alert: Worm Spreads Via Hidden System Shares
July 9, 2003

W32/Graps-A is a worm that uses Windows hidden system shares, intended for interprocess communication and administration tasks (IPC$ and ADMIN$), to spread.

W32/Graps-A spreads with the filename mwd.exe together with two other files, a utility psexec.exe and an OCX file mswinsck.ocx. The worm drops three batch files wds.bat, wds2.bat and wds3.bat into the current directory.

The dropped batch files are used to probe for IPC$ or ADMIN$ shares with weak or blank passwords. If a share is successfully probed, the batch file copies wdm.exe, psexec.exe and mswinsck.ocx to the remote computer and uses psexec.exe to remotely launch wdm.exe. More information is at this Sophos page.

Antivirus software vendor McAfee recognizes the worm as W32/Graps.worm, and says it is a remote access Trojan, and share-jumping worm. It propagates via the default administrator share, admin$. When run, the worm creates a registry run key to load itself at system startup:

Run "Windows Management Instrumentation" = %worm path%\mwd.exe

Three batch files are created in the local directory:

  • wds.bat
  • wds2.bat
  • wds3.bat

    These batch files try to gain access to the ADMIN$ share on remote systems by trying weak username/password combinations. If this share is accessible, either because (1) the system allows for a weak user/pass or (2) the current credentials are sufficient for admin access, the worm attempts to copy three files to the remote system:

  • mwd.exe (a copy of the worm)
  • psexec.exe (RemoteProcessLaunch application)
  • mswinsk.ocx (innocent Microsoft Winsock Control DLL)

    PSEXEC.EXE is used to execute the worm remotely and the ADMIN$ share is then deleted. More information is at this McAfee page.

    Mutant Targets .exe Files and Encrypts Itself to Spread

    W32.MutantQSix is a .exe file infector that spreads by appending an encrypted version of itself to the end of all the other .exe files, which are in the same folder as the virus.

    Technical details are at this Symantec page.

    Compiled by Esther Shein.

  • 10/20: Mydoom-AA Worm Spreads Via Email
  • Application Insecurity --- Who is at Fault?
  • 12/8: Maslan-C Worm Spreads By Email
  • 3/25: Backdoor.Nibu-J Runs Keylogger
  • 3/30: Kelvir-F IM Worm Sends Message
  • 10/12: Bagle-AC Worm Sends Fake Message
  • Nachi Worm Exploits Security Hole in Microsoft Windows
  • Will Users of Word 97 'Bug' Out?
  • 8/17: Mydoom-T Copies Itself in Emails
  • Humans Still Weakest Security Link
  • Viruses Gearing up For The Smart Set
  • Buy Security Camera