Threat behavior
Worm:Win32/Allaple.A is a multi-threaded, polymorphic network worm capable of spreading to other computers connected to a local area network (LAN) and performing denial-of-service (DoS) attacks against targeted remote Web sites.
When executed, the worm launches several threads which accomplish different tasks simultaneously:
DoS attack against a specific IP address
DoS attack against specific Web sites
Infecting open shares across a network
In order to commit the hard-coded DoS attack against the remote IP address, Worm:Win32/Allaple sends an echo ping request and awaits a response. When a response is received, Worm:Win32/Allaple initiates a DoS attack by flooding several network ports. In addition, Worm:Win32/Allaple.A attempts DoS attacks against three remote Web sites with a .ee domain suffix.
Worm:Win32/Allaple.A seeks other machines across a network, and attempts to gain access in one of two ways:
by exploiting weak logon passwords - Worm:Win32/Allaple.A uses a built-in dictionary attack, testing the ability to connect and logon to remote computers using words from the following list:
www
windows
visitor
test2
password
test1
test
temp
telnet
ruler
remote
real
random
qwerty
public
private
poiuytre
passwd
pass
oracle
nopass
nobody
nick
newpass
new
network
monitor
money
manager
mail
login
internet
install
hello
guest
go
X
demo
default
debug
database
crew
computer
coffee
bin
beta
backup
backdoor
anonymous
anon
alpha
adm
access
abc123
system
sys
super
sql
shit
shadow
setup
security
secure
secret
123456789
12345678
1234567
123456
12345
1234
123
12
1
00000000
0000000
000000
00000
0000
000
00
0
server
asdfgh
root
When Worm:Win32/Allaple.A makes a successful connection, it writes a copy of itself to the share C$ using a randomly generated filename.
Worm:Win32/Allaple.A has a built-in polymorphic engine that changes the worm executable for every infection. The polymorphism is accomplished by encrypting the worm body differently for each infection, producing a different executable and filename each time.
Worm:Win32/Allaple.A writes itself to the infected computer in multiple locations, including folders where HTML files are stored. It then modifies the registry to reference a unique CLSID pointing to this file and modifies the HTML (.htm and .html) files to execute this CLSID when the HTML file is executed.
Worm:Win32/Allaple.A copies itself to the Windows system folder using the filename "urdvxc.exe" or "irdvxc.exe" and modifies the registry to load this copy when Windows is started:
Adds value: ImagePath
With data: <system folder>\<filename> /service
To subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSWindows
Prevention
