Allaple Worm
Original issue date: December 08, 2006
It has been observed that a polymorphic network worm called Allaple is propagating in the wild to cause DoS (Denial of Service) attack on a few websites. The worm is propagating through dictionary attack on password protected network shares and exploits some vulnerability. It also searches for the .html and .htm files on the local hard disks to infect them. A high traffic at port 139/445 may be indication of infected systems over LAN.
- The worm uses random names to drop multiple copies of itself on the system as
- jbnshhqj.exe
- bzehxvnz.exe
- hwexrtne.exe
- jjlenkbt.exe
- tsbjbtvn.exe
- It uses the following passwords to perform dictionary attacks to gain access to network shares.
- Admin
- root
- asdfgh
- password
- 00
- 000
- It is targeting following websites for DoS attacks with no C&C (Control and Communication) server.
- The following ports are used for the DoS attack
Users are advised to implement the following countermeasures:
- Monitor traffic on ports 139/445 for any abnormalities.
- Keep updated Anti-Virus Signatures.
- Apply appropriate security updates at the OS level and application level.
- Exercise caution while visiting untrusted websites and opening email attachments.
- Search for .exe files mentioned above in the systems and if found delete the same.
Reference
http://www.f-secure.com/v-descs/allaple_a.shtml Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
