The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to spread across Windows network shares

CME-24 Analysis: The destruction does not appear to spread across Windows network shares (NEW)

Published: 2006-02-02,
Last Updated: 2006-02-02 17:39:40 UTC by Lorna Hutcheson (Version: 1)
I wanted to share some of the results of some long hours spent looking at this malware.  When the infection occurs, it immediately places copies of itself  locally on each share and on each share/mapped drive that it finds.  Based on this behavior, my initial thoughts were that the destructive payload would be carried out via shares and/or mapped drives as well.

I now have changed my initial thoughts on how the destruction would occur.  Here are some of my notes from my testing of this concept.  Here is the MD5 from the file I was using:
1c66904ecb846da5b1fb2072f9ea6e0e *New WinZip File.exe

The first test I did led me to believe that the destruction would be carried out via the shares and mapped drives.  In my intial test, I had two infected systems (one XP and one W2K) with drives mapped to each other.  I infected each box, changed the system time to Feb 2 at 11:50pm, launched ethereal, filemon and ran the the first shot using RegShot.  After an hour, I stopped the captures and launched my second shot of the hard drive with RegShot.  All my data files were now over written, zip files were corrupted, etc.  Everything was happening as I thought it would.  All my mapped drives had corrupted files. The security logs from each box showed accesses from the other.

For the rest of this in depth analysis, go here: SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

About these ads

February 2, 2006 - Posted by | Antivirus News

5 Comments »

  1. [...] more here: SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to s… Category : [...]

    Pingback by SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to spread across Windows network shares | Antivirus Firewall Software Reviews | November 6, 2009 | Reply

  2. http://www.antivirus-and-firewall-software.org

    Comment by ptbjm | April 12, 2010 | Reply

  3. Protect you computer from Immunet Antivirus. Download Immunet Antivirus free from http://www.immunet.com/free/index.html

    Comment by Antivirus Software (@freeantivirus1) | October 14, 2011 | Reply

  4. [...] aquí: SANS – Internet Storm Center – cooperativa Cyber amenaza Monitor Y sistema de alerta. version original aqui [...]

    Pingback by SANS – Internet Storm Center-CME-24 (Blackworm) análisis: La destrucción no parecen extenderse a través de recursos compartidos de red de Windows | ANTIVIRUS | February 20, 2012 | Reply

  5. Antivirus software are useful and important to protect your system from malware attack and getting infected.

    http://www.ocoupons.org/kaspersky-antivirus-coupons

    Comment by Kiyan Kay | October 30, 2013 | Reply


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: