You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
KORDLLBOT-RELATED SMB WORMS<br />
The malware samples 163571bd56001963c4dcb0650bb17fa23ba23a5237c21f2401f4e894dfe4f50d and<br />
e0cd4eb8108dab716f3c2e94e6c0079051bfe9c7c2ed4fcbfdd16b4dd1c18d4d in the cluster of signed malware do<br />
not look like KorDllbots at first glance.<br />
The usual service DLL dropper is here replaced with a worm component. After installation and reboot, this worm<br />
generates random IP addresses and attempts to connect to the admin$ share on remote machines using the hard<br />
coded usernames “administrator” and “db2admin”. The malware contains a list of common passwords and it will<br />
also construct passwords based on the username. If successful, the worm copies itself to the remote machine’s<br />
system directory and installs it as a service there.<br />
In addition to spreading, these samples drop a backdoor component which is somewhat different in structure to<br />
the “standard” KorDllbots. The dropper code logic used in these worms is however used in other KorDllbot dropper<br />
samples and is unmistakable - the strings “DGTSIGN” and “www.goog1e.cn” are markers which the malware uses<br />
to locate its embedded content.<br />
9bc8fe605a4ad852894801271efd771da688d707b<br />
9fbe208106917a0796bbfdc<br />
This is a KorDllbot dropper<br />
e0cd4eb8108dab716f3c2e94e6c0079051bfe9c7c<br />
2ed4fcbfdd16b4dd1c18d4d<br />
This is an SMB worm