|
|
Trojan.WinDNSd Trojan Information
| Name: |
Trojan.WinDNSd |
| Category: |
Trojan |
| Advice: |
Remove |
| Risk: |
Severe Risk
Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. |
| Description:
|
Upon execution, this memory-resident trojan worm drops a copy of itself as WINDNSD.EXE in the Windows system folder. It eventually deletes itself after the said execution.
It creates the following autostart entries to ensure its automatic execution at every system startup:
HKEY_USERS.DEFAULTSoftwareMicrosoft
WindowsCurrentVersionRun
Windows DNS Daemon = "windnsd.exe"
HKEY_CURRENT_USERSoftwareMicrosoft
WindowsCurrentVersionRun
Windows DNS Daemon = "windnsd.exe"
HKEY_USERS.DEFAULTSoftwareMicrosoft
WindowsCurrentVersionRunOnce
Windows DNS Daemon = "windnsd.exe"
HKEY_CURRENT_USERSoftwareMicrosoft
WindowsCurrentVersionRunOnce
Windows DNS Daemon = "windnsd.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoft
WindowsCurrentVersionRunOnce
Windows DNS Daemon = "windnsd.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoft
WindowsCurrentVersionRunServices
Windows DNS Daemon = "windnsd.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoft
WindowsCurrentVersionRun
Windows DNS Daemon = "windnsd.exe"
It also registers itself as a service by creating the following registry key:
HKEY_LOCAL_MACHINESystemCurrentControlSetServiceswdnsd
WinDNSd spreads via network shares. It uses NetBEUI functions to get available lists of user names and passwords. It then searches for the IPC$ shared folder, where it drops a copy of itself by using gathered information.
It may also take advantage of the following Windows vulnerabilities to propagate:
Buffer Overflow in SQL Server 2000, which is a vulnerability that allows a low-level user to run, delete, insert or update Web tasks. In turn, an attacker who is able to authenticate to a SQL server may do the same actions, and run already created Web tasks in the context of the creator of that task. More information on this vulnerability is found in Microsoft Security Bulletin MS02-061.
The RPC/DCOM vulnerability, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026.
The IIS/WebDAV exploit, which enables arbitrary codes to execute on the WebDAV server by also sending a malformed request packet. This exploit is a service related to the HTTP on port 80. More information about this vulnerability is found in Microsoft Security Bulletin MS03-007.
The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Bulletin MS04-011 and Trend Micro's Vulnerability Description for MS04-011.
Furthermore, it makes the affected system become a TFTP server to facilitate sending of this worm to other systems as BLING.EXE.
WinDNSd has backdoor capabilities. It attempts to connect to the Internet Relay Chat (IRC) server irc.t3musso.net, which allows a remote user to access affected systems.
The said routine allows the malicious user to perform the following actions:
Update malware from HTTP and FTP URL
Execute a file
Download from HTTP and FTP URL
Open a command shell
Open files
Display the driver list
Get screen capture
Capture pictures and video clips
Display network information such as the following:
connection type
local IP address
Make the bot join a channel
Stop and s
|
| Signatures:
|
process: windnsd.exe: MD5 Hash: ...
process: windnsd.exe: MD5 Hash: c584147f4352db8e9ab...
process: windnsd.exe: MD5 Hash: 15af6b4e853e4cbce56...
process: windnsd.exe: MD5 Hash: 1d9b48016a35f9e8071.. |
| Type: |
Trojan - A Trojan software is any software on a user's computer that the user is not aware or intentionally installed. Most Trojan software is designed to perform some sort of actions that could jeopardize the user's security or privacy. |
Top Trojan Visited Pages:
Tro.Downloader.loadadv - 411 visits
Enable Regedit - 195 visits
Java.ClassLoader.Dummy.d - 187 visits
Trojan.BankerSpy - 179 visits
RBot.steam - 86 visits
Startup.NameShifter.Xgtray - 77 visits
Tro.Bagle.SP - 59 visits
LRPatch Trojan - 58 visits
Trojan.BHO.NameShifter.EZ - 55 visits
Tro.YourStartingPage - 54 visits
Random Trojan Pages:
Trojan.Downloader.beew
Melt.Batch
HTML.Nowarn.a
SMF.155.Batch
Yahoo! Trojan - Alias: PWS-Yahoo, Trojan.AOL.Yah
Trojan.Win32/Painwin.A - Alias: Trojan:Win32/Painwin.A
Trojan.BHO.NameShifter.CC
Cure 1.0 - Alias: Trojan.Win32.Addshare.c
Win32/Small.AEK
Startup.NameShifter.OK
|
|
