Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Allaple.a Internet/lan Worm - Highly Polymorphic With Password Attack


  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:06:48 AM

Posted 07 December 2006 - 01:14 PM

Allaple is a powerful polymorphic LAN and Internet worm. It uses a number of exploits to spread and performs a dictionary attack on network share passwords. The worm copies itself multiple times to a hard drive and also affects HTML files. In addition the worm performs a DoS (Denial of Service) attack on a few websites.

The worm's file is polymorphically encrypted. It means that every copy of the worm is different from each other. The constant part is only the size of the worm's executable file - 57856 bytes. After the worm's file is run it goes through the polymorphic decryptor and then proceeds to the static part of the code that allocates a memory buffer and extracts the main worm's code into it. Then the control is passed directly to the extracted worm's code.

After getting control, the worm creates a few threads. One thread scans for vulnerable computers (on TCP ports 139 and 445) and sends exploits there in order to infect them. The worm also tries to bruteforce network share passwords by performing a dictionary attack on them. The following TCP ports used during the DoS attack: 22, 80, 97, 443


While this new worm may not be widespread, it features some advanced designs. In particular, the polymorphic encryption feature could make this one difficult for AV vendors to detect.

Allaple.A Internet/LAN worm - Highly polymorphic with Password attack
http://secunia.com/virus_information/34550/allaple.a/
http://www.f-secure.com/v-descs/allaple_a.shtml

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users