Enterasys - Secure Networks

There is nothing more important than our customers.
Skip to content

ENSRT Incident Note ETS-i-2005-12530

The Enterasys Networks Security Response Team (ENSRT) publishes incident notes to provide information for our constituents to raise awareness of issues deemed threatening to the security and integrity of our customers.

Worm - W32.Derdero.E@mm

Release Date: 02/25/2005
Last Updated:

Print this alert

Overview

The W32.Derdero.E worm is a Microsoft Windows mass-mailing worm which contains an executable attachment that spreads via an embedded SMTP engine as well as through Windows file shares.

Details below will describe the characteristics of the W32.Derdero.E@mm worm as well as provide detection, containment, and prevention techniques available through Enterasys Secure Networks solutions.

Systems affected

Windows operating systems

Systems not affected

Linux and MAC/OSX

Description

W32.Derdero.E mass mailer arrives in the user mailbox as an e-mail with one of the following subject lines:

- "Urgent Information"
- "Hackers on the loose"
- "Dangerous Virus info"
- "CNN: 1000s of PC's hacked"
- "You may be at risk to danger"
- "VIRUS OUTBREAK"
- "CNN: Virus released, millions of computers infected"
- "Millions of PC's Hacked!"
- "Illegal Viruses on the Loose"
- "CNN: Virus outbreak!"
- "MyDoom returns"
- "Symantec: New AHKER strain released"

The e-mail also contains one of the following bodies:

- "Thousands of PC's were hacked this week; see the attached document for details."

- "Viruses are quickly spreading throughout the wild, and you may be infected. See the attached document for details."

- "A virus outbreak was reported today. Run the attached patch to help protect yourself.A firewall may be of use due to the recent hacking outbreak, read the attached document."

- "Over 5000 computers were recently hacked today. To help protect yourself, read the attached file."

- "Here, read the attached document to protect yourself from hackers. =)"

- "Many computers were compromised by a malicious user. To protect your computer, read the document."

- "There has been a recent outbreak of viruses, read the attached document."

- "Another AHKER variant has been released. Run the attached file to protect yourself"

The W32.Derdero.E@mm e-mails as described above also contain an executable attachment with one of the following filetypes:

- ".exe"
- ".zip"
- ".pif"
- ".doc.exe"
- ".cmd"
- ".txt.exe"
- ".scr"
- ".wpd.exe"
- ".txt.scr"
- ".cpl"
- ".com"
- ".doc.cpl"
- ".doc.txt"
- ".fix.exe"

If the attached executable file is launched, the mass mailling worm will infect the PC and begin the replication process. First, the worm causes a diologue box to pop up and display the following message:

- "JavaScript Error: Critical JavaScript Error in line 3: List index out of bounds"

Secondly, the worm will place the following files in the System and Windows directories:

- "JsDbgMan.exe"
- "JsLock.dat"
- "JsDbgZ.dll"
- "JsDbgE.dll"
- "hall.dll"
- "JsDbgJS.zip"

Third, the worm corrupts the "hal.dll" and "ntoskrnl.exe" files in the system folder which will prevent the system from being able to restart.

Fourth, the worm puts the following files in any folder with a name containing the string of characters "shar" :

- "Netsky Source Code.zip[blank spaces].exe"
- "Windows Server 2003 SP2.rar[blank spaces].com"
- "Internet Security for Idiots.ebook.pdf[blank spaces].scr"
- "Windows XP SP3 (Virus Scanned)[blank spaces].exe"
- "Pamela Anderson FULL VIDEO.mpg[blank spaces].scr"
- "Internet Explorer 6 to 7 Upgrade.exe"
- "How to Hack Websites.txt[blank spaces].pif"
- "Norton Internet Security 2006.zip[blank spaces].scr"
- "Norton AntiVirus 2006 (with crack).iso[blank spaces].exe"
- "Hacking for Dummies.pdf[blank spaces].cpl"
- "Windows XP SP2 WORKING activation crack.rar[blank spaces].exe"
- "Kazaa Lite 2005 Edition (Adware Free).rar[blank spaces].pif"
- "HalfLife 2 and Counterstrike Steam crack.exe"
- "Porn Passwords.txt[blank spaces].exe"
- "Hot anal penetration.dvd[blank spaces].scr"
- "Exeem Lite NEW FILESHARING PROGRAM.zip[blank spaces].cmd"
- "Virus writing in Visual Basic.txt[blank spaces].cpl"
- "DVD Xcopy PRO (virus scanned).exe"

Fifth, the worm updates specific system registry keys so that it will be launched each time Windows boots.

The Sixth step the worm takes, is to gather e-mail addresses from the Windows address book and then use an embedded SMTP engine to propagate further.

The seventh step the worm takes is to check if Windows Task Manager is open, and if so close it.

The eighth step the worm takes is to attempt to alter the system "hosts" file as well as end multiple tasks in an effort to reduce or shut down security features and programs installed on the infected machine.

Threat Assessment

Mass-mailing worms if not addressed through prudent remediation steps may congest mail servers and/or degrade network performance. Mass-mailing worms may impact individual system performance and compromise security settings allowing unauthorized remote access to the compromised host.

Remediation

Matrix N7
 X
Matrix E7
 X
Matrix E6
 X
Matrix E5
 X
Matrix E1
 X
VH
 X
C-Series
X

Detection

A specific Dragon signature to detect the W32.Derdero.E@mm worm can be retrieved via Dragon Live Update and is located in the Master Library within the ENSRT category. However, because of similarities the W32.Derdero.E worm has with the W32.Derdero.C variant, only four individual signatures with the prefix "ENSRT:W32-DERDERO-E" have been created. The four ENSRT:W32-DERDERO-E signatures must be copied into a custom signature group and combined with the ENSRT:W32-DERDERO-A-B-C signatures to provide protect against all four "Derdero" variants.

Deploying the above combined signature group on a Dragon network sensor that is protecting the enterprise SMTP server can successfully detect end-user class machines which have become infected with this worm family.

If utilizing Dynamic Intrusion Response (DIR), a Dragon Alarmtool policy that consists of an event group that contains all of the signatures within the "ENSRT:W32-DERDERO-E" and "ENSRT:W32-DERDERO-A-B-C" family should be used. A threshold parameter of at least three signature detections within a time span of 60 seconds should be used to mitigate the existence of false positives.

NOTE: All signatures in the ENSRT library are disabled by default. These signatures must be enabled after they are imported into a custom library if they are to be successfully deployed.

Prevention

Trusted End System solutions are capable of monitoring various end system activity. TES is able to take immediate action such as firewalling specific IPs, TCP/UDP ports, applications, or placing the user into a Quarantine policy or VLAN until end system threat is mitigated. Learn more at: http://www.enterasys.com/solutions/secure-networks/trusted_end_system/

Containment

The Enterasys Dynamic Intrusion Response (DIR) solution can be utilized to remove infected end-users from the enterprise network by detecting the infection with a Dragon NIDS signature (see "Detection" section of this report), locating the user's connection point using Automated Security Manager's location services module, and either placing the user in a quarantine VLAN or disabling the associated switch port for the user.

Using Enterasys Policy Manager, enforce a policy that allows SMTP traffic from end user PCs to authorized SMTP mail servers and blocks SMTP traffic to unauthorized end users or unknown Internet systems. If the SMTP protocol is not implemented for end users within the enterprise, consider implementing a policy blocking SMTP traffic from end user ports.

Repair

Monitor Dragon Realtime Console for alerts that end-user PCs have become infected with the virus. If utilizing the DIR solution, users can either be expunged from the network or placed in a quarantine VLAN. Once isolated, see your anti-virus vendor for Windows repair procedures for infected users.

References

http://securityresponse.symantec.com/avcenter/venc/data/w32.derdero.e@mm.html

This document and the information contained herein are intended solely for informational use. Enterasys Networks, Inc. makes no representations or warranties of any kind, whether expressed or implied, with respect to this information and assumes no responsibility for its accuracy or completeness. Enterasys Networks, Inc. hereby disclaims all liability and warranty for any information contained herein and all the material and information herein exists to be used only on an "as is" basis. More specific information may be available on request. By your review and/or use of the information contained herein, you expressly release Enterasys from any and all liability related in any way to this information.    

A copy of the text of this section is an uncontrolled copy, and may lack important information or contain factual errors. All information herein is Copyright ©Enterasys Networks, Inc. All rights reserved. All information above is subject to change without notice.    

Revision History:

Version: 1.0

Date: 02/25/2005

Author: ENSRT STAFF

Change

There is nothing more important than our customers