Worm:Win32/Narilam.A

Worm:Win32/Narilam.A is a worm that spreads via removable drives and shared folders on the network. The worm attempts to modify or delete information in certain SQL databases.

Installation

When run, Worm:Win32/Narilam.A drops itself as "lssas.exe" into the <system folder>.

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".

Worm:Win32/Narilam.A modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "LssaShellEx"
With data: "<system folder>\lssas.exe -reg"

Spreads via...

Removable drives

Worm:Win32/Narilam.A may copy itself as "DATA.exe" to the root folder of all available removable drives.

System startup of networked computers

Worm:Win32/Narilam.A attempts to run the command "net.exe view" to receive a list of all networked computers that your computer has previously accessed. The worm then drops a copy of itself as "DATA.exe" into the following locations in those network-accessible computers:

• C:\Documents and Settings\All Users\Start Menu\Programs\Startup
• D:\Documents and Settings\All Users\Start Menu\Programs\Startup
• C:\Documents and Settings\userStart Menu\Programs\Startup
• D:\Documents and Settings\user\Start Menu\Programs\Startup

Copying itself to these locations ensures that the worm runs at each Windows start on those network-accessible computers.

After it has installed itself on the computer, the worm attempts to delete its dropped copy "DATA.exe", along with the folders it's located in, possibly in an attempt to ensure that, once infected, a computer will only run the worm once from these locations.

Payload

Modifies SQL database records

Worm:Win32/Narilam.A attempts to access certain SQL databases that are stored on a server.

In folders that contain these files, it drops a copy of itself as "BACKUP.exe" and checks for the following files which may contain information about the server in which the database is stored:

• Data\Options.ini
• servername.dbf
• ServerName_XP.DB

It uses this information to access the following SQL databases by utilizing Windows Authentication, which allows the currently logged-on user to connect to the server without being prompted for a user name or password:

• amin
• maliran
• shahd

Upon access, Worm:Win32/Narilam.A may attempt to perform the following actions in the database:

• Delete records
• Update records
• Drop record tables (delete all record tables in the database)

Analysis by Edgardo Diaz and Jonathan San Jose