SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to spread across Windows network shares

2
Feb

SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to spread across Windows network shares

Posted by admin

CME-24 Analysis: The destruction does not appear to spread across Windows network shares (NEW) Published: 2006-02-02, Last Updated: 2006-02-02 17:39:40 UTC by Lorna Hutcheson (Version: 1) I wanted to share some of the results of some long hours spent looking at this malware. When the infection occurs, it immediately places copies of itself locally on each share and on each share/mapped drive that it finds. Based on this behavior, my initial thoughts were that the destructive payload would be carried out via shares and/or mapped drives as well. I now have changed my initial thoughts on how the destruction would occur. Here are some of my notes from my testing of this concept. Here is the MD5 from the file I was using: 1c66904ecb846da5b1fb2072f9ea6e0e *New WinZip File.exe The first test I did led me to believe that the destruction would be carried out via the shares and mapped drives. In my intial test, I had two infected systems (one XP and one W2K) with drives mapped to each other. I infected each box, changed the system time to Feb 2 at 11:50pm, launched ethereal, filemon and ran the the first shot using RegShot. After an hour, I stopped the captures and launched my second shot of the hard drive with RegShot. All my data files were now over written, zip files were corrupted, etc. Everything was happening as I thought it would. All my mapped drives had corrupted files