1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Virus Descriptions
  6. Allaple.A

Allaple.A

Name : Allaple.A
Size:57856
Category:Malware
Type:Net-Worm
Platform:W32
Date of Discovery:December 07, 2006

Summary

Allaple is a powerful polymorphic LAN and Internet worm. It uses a number of exploits to spread itself and performs a dictionary attack on network share passwords. The worm copies itself multiple times to a hard drive and also affects HTML files. Additionally, the worm performs a DoS (Denial of Service) attack on a few websites.

Disinfection

Disinfection of Network Worms

A network worm uses local network (LAN) to spread itsself, so to stop its spreading it is advised to temporarily take down a network until all workstations and servers are disinfected. A single infected workstation can re-infect already cleaned computers and ruin all previous disinfection attempts. However if F-Secure Anti-Virus version 5.40 or a later version is installed on computers connected to a local network, it is recommended to set disinfection action of the On-Access Scanner (OAS) to 'Disinfect Automatically'. Such action will allow to protect already cleaned workstations connected to an infected network from further re-infection by a network worm.

For instructions on how to eliminate an outbreak of a network worm please visit this page:

http://www.f-secure.com/v-descs/netdisinf.shtml

Additional Details

The worm's file is polymorphically encrypted. It means that every copy of the worm is different from each other. The constant part is only the size of the worm's executable file - 57856 bytes.

After the worm's file is run it goes through the polymorphic decryptor and then proceeds to the static part of the code that allocates a memory buffer and extracts the main worm's code into it. Then the control is passed directly to the extracted worm's code.

After getting control, the worm creates a few threads. One thread scans for vulnerable computers (on TCP ports 139 and 445) and sends exploits there in order to infect them. The worm also tries to bruteforce network share passwords by performing a dictionary attack on them. The following passwords are used:

  •  00
  • 000
  • 0000
  • 00000
  • 000000
  • 0000000
  • 00000000
  • 1
  • 12
  • 123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • abc123
  • access
  • adm
  • Admin
  • alpha
  • anon
  • anonymous
  • asdfgh
  • backdoor
  • backup
  • beta
  • bin
  • coffee
  • computer
  • crew
  • database
  • debug
  • default
  • demo
  • go
  • guest
  • hello
  • install
  • internet
  • login
  • mail
  • manager
  • money
  • monitor
  • network
  • new
  • newpass
  • nick
  • nobody
  • nopass
  • oracle
  • pass
  • passwd
  • password
  • poiuytre
  • private
  • public
  • qwerty
  • random
  • real
  • remote
  • root
  • ruler
  • secret
  • secure
  • security
  • server
  • setup
  • shadow
  • shit
  • sql
  • super
  • sys
  • system
  • telnet
  • temp
  • test
  • test1
  • test2
  • visitor
  • windows
  • www
  • X

The other thread scans for .HTM and .HTML files on all local hard disks and infects them by prepending a reference to worm's CLSID there. The worm creates a different CLSID for every copy of itself that it creates on the hard drive. The number of these copies can be quite large. The names of the worm's files are random. For example:

  • bzehxvnz.exe
  • hwexrtne.exe
  • jbnshhqj.exe
  • jjlenkbt.exe
  • tsbjbtvn.exe

One of the remaining threads performs a DoS (Denial of Service) attack on three websites located in Estonia.


The following TCP ports used during the DoS attack:

  • 22
  • 80
  • 97
  • 443

Detection

F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]

Version = 2006-12-07_07.