For Home

Virus Profile: W32/Tzet.worm.f

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/15/2003
Date Added: 1/13/2004
Origin: Unknown
Length: 989,496 bytes (SFX)
Type: Virus
Subtype: Internet Worm
DAT Required: 4309
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Existence of the files/directory detailed above
  • Existence of the Registry key detailed above
  • Observation of unexpected IRC traffic (to port 6667 of remote server) from victim machine
  • Unexpected network traffic - malware is capable of SYN flooding a subnet, and performing port scans across a network

Methods of Infection

The worm uses a trojanised mIRC client coupled with batch and IRC scripts in order to infect and spread between machines.

Once executed on a machine, the worm attempts to connect to a remote IRC server in order to notify the hacker of the infection. Once connected, the worm can receive remote commands via IRC. Such functionality includes:

  • launch DoS attack on remote machine
  • retrieve key information concerning various games
  • retrieve information concerning victim machine
  • scan for remote machines to spread to
  • Share propagation relies upon poorly secured shares. The worm attempts to connect to remote shares using the following password/username combinations:
Password Username
abc administrator
test test
test123 administrator
student student
user user
teacher teacher
xxyyzz administrator
1 administrator
123 administrator
12345 admin
temp administrator
Administrator administrator
Administrator Administrator
test administrator
admin administrator
temp123 administrator
pass administrator
password administrator
root root
changeme administrator
admin admin
123456 administrator
654321 administrator
abc123 administrator
12345 administrator
red123 administrator
admin123 administrator
qwerty administrator
asdf administrator
password123 administrator
secret administrator
qwertyuiop administrator
12345 administrator
54321 administrator
  administrator
  Administrator
  admin
  user
  Admin
  root
  ROOT
  wwwadmin
  database
  user
  server
  OEM
  administrateur
  Owner
  OWNER
  owner
admin wwwadmin
wwwadmin wwwadmin
database database
computer Administrator
computer OEM
1234 OEM
admin OEM
secret OEM
administrator OEM
Admin OEM
qwerty OEM
password OEM
temp Owner
1 Owner
12 Owner
123 Owner
1234 Owner
12345 Owner
Owner Owner
admin Owner
secret Owner
computer Owner
!@#$ Owner
changeme Owner
password Owner
  Rendszergaz
Rendszergaz Rendszergaz
  Beheerder
Beheerder Beheerder
  Coordinatore
Coordinatore Coordinatore
  Administrador
Administrador Administrador
  Forsterkning
Forsterkning Forsterkning
  administratör
administratör administratör
  Järjestelmänvalvoja
Järjestelmänvalvoja Järjestelmänvalvoja
  amministratore
amministratore amministratore
  Verwalter
Verwalter Verwalter
administrateur administrateur
admin administrateur
12345 administrateur
   

Virus Characteristics

This detection is for a multi-component IRC-based worm capable of spreading to poorly secured remote shares. It bears similarities to earlier variants .

There are many other multi-component, IRC-based malware packages known. Typically, components from one are used again in other creations. Because of this there is likely to be crossover in the specific detection names used for the various files that comprise the package.

The importance of application-type detections is well-demonstrated by such packages, since legitimate applications are usually used to perform steps vital to the propagation mechanism. By enabling detection of such tools, the propagation/operation of such malware can be disabled.

Proactive Detection

Exact detection of the virus SFX archive requires the DATs as specified above. However, prior to this, various components of the multi-component package have been detected. Most importantly:

Characteristics

The worm consists of a self-extracting archive. When executed, the following directory is created on the target machine:

c:\WINNT\system32\GroupPolicy\Adm\0x3\4.0

Multiple files are extracted to this directory:

  • cons32.dll (11,264 bytes)
  • dll32.exe (45,056 bytes)  detected as W32/Tzet.worm.f
  • jnco32.exe (17,920 bytes) - detected as FDoS-Mixtar .
  • mmsql32.bat (26,397 bytes)  - detected as IRC/Flood.bat . Batch script for connecting to remote shares (password brute forced), and copying and launching worm there.
  • mnl32.dll (8,704 bytes)
  • mnn32.exe (25,600 bytes) - detected as PrcView application .
  • msnq32.exe (20,480 bytes) - detected as HideWindow application .
  • msregld32.exe (17,408 bytes) - detected as FDoS-DRinCL .
  • mtnm32.dll (179,254 bytes) - trojan IRC script
  • pmmc32.exe (38,400 bytes) - detected as RemoteProcessLaunch application .
  • reg3.ocx (15,133 bytes) - trojan IRC script
  • spool.exe (532,480 bytes) - mIRC client, detected as IRC/Flood.bq .
  • svchostt.exe (19,456 bytes) - 'launcher' for malware package.  Detected as W32/Tzet.worm.f .
  • switch.exe (3,072 bytes)
  • wvchost.exe (73,216 bytes) - detected as Tool-WGet application .

The following Registry key is added to run the SVCHOSTT.EXE (which launches the worm "package") at system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run "msnager32" = C:\WINNT\System32\GroupPolicy\Adm\0x3\4.0\svchostt.exe
   

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations