Threat Description

Net-Worm:W32/Allaple.A

Details

Aliases:Net-Worm:W32/Allaple.A, Net-Worm.Win32.Allaple.a
Category:Malware
Type:Net-Worm
Platform:W32

Summary



A type of worm that replicates by sending complete, independent copies of itself over a network.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Disinfection of Network Worms

For instructions on how to eliminate a local worm infection, please Eliminating a Local Network Outbreak



Technical Details



Net-worm:W32/Allaple.A is a powerful polymorphic worm that can spread over the Internet and over Local Area Networks (LAN).

To propagate, it is able to scan for computers vulnerable to a number of exploits to spread itself; it can also perform a dictionary attack on network share passwords.

Additionally, the worm performs a Denial of Service (DoS) attack on a number of websites based in Estonia.

Infection

The worm copies itself multiple times to a hard drive and also affects HTML files.

The worm's file is polymorphically encrypted, which means every copy of the worm is different. The only constant aspect of the worm's code is the size of its executable file - 57856 bytes.

The worm creates a different CLSID for every copy of itself that it creates on the hard drive. The number of these copies can be quite large. The names of the worm's files are random. For example:

  • bzehxvnz.exe
  • hwexrtne.exe
  • jbnshhqj.exe
  • jjlenkbt.exe
  • tsbjbtvn.exe

Execution & Propagation

After the worm's file is run it goes through the polymorphic decryptor and then proceeds to the static part of the code that allocates a memory buffer and extracts the main worm's code into it. Then the control is passed directly to the extracted worm's code.

After getting control, the worm creates a few threads. One thread scans for vulnerable computers (on TCP ports 139 and 445) and sends exploits there in order to infect them.

The other thread scans for .HTM and .HTML files on all local hard disks and infects them by prepending a reference to worm's CLSID there.

One of the remaining threads performs a DoS attack on three websites located in Estonia. The following TCP ports used during the DoS attack:

  • 22
  • 80
  • 97
  • 443

The worm also tries to brute-force network share passwords by performing a dictionary attack on them. The following passwords are used:

  • 00
  • 000
  • 0000
  • 00000
  • 000000
  • 0000000
  • 00000000
  • 1
  • 12
  • 123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • abc123
  • access
  • adm
  • Admin
  • alpha
  • anon
  • anonymous
  • asdfgh
  • backdoor
  • backup
  • beta
  • bin
  • coffee
  • computer
  • crew
  • database
  • debug
  • default
  • demo
  • go
  • guest
  • hello
  • install
  • internet
  • login
  • mail
  • manager
  • money
  • monitor
  • network
  • new
  • newpass
  • nick
  • nobody
  • nopass
  • oracle
  • pass
  • passwd
  • password
  • poiuytre
  • private
  • public
  • qwerty
  • random
  • real
  • remote
  • root
  • ruler
  • secret
  • secure
  • security
  • server
  • setup
  • shadow
  • shit
  • sql
  • super
  • sys
  • system
  • telnet
  • temp
  • test
  • test1
  • test2
  • visitor
  • windows
  • www
  • X


Detection


F-Secure Anti-Virus detects this malware with the following updates:
Detection Type: PC
Database: 2006-12-07_07




SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More