W32.Manifest.Trojan

SUMMARY

W32.Manifest.Trojan is a Trojan horse that installs an FTP server, a monitoring program, and a mail server on the infected computer.

W32.Manifest.Trojan is currently being distributed through the KaZaA file-sharing network as a XVID codec.

Protection

• Virus Definitions (LiveUpdate™ Weekly) November 26, 2002
• Virus Definitions (Intelligent Updater) November 26, 2002

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low
• Payload: Gives unrestricted remote access to the computer

Distribution

• Distribution Level: Low

TECHNICAL DETAILS

When W32.Manifest.Trojan is executed, it does the following:

1. Creates these files:

• Wssdsu.exe *
• Wssdsup.exe
• Wssdtu.exe
• Wsys.exe *
• Wsys.dll *
• Bigfoot.bmp *
• Infospbz.bmp *
• Infospce.bmp *
• Swtchbrd.bmp *
• Verisign.bmp *
• Whowhere.bmp *
• Yahoo.bmp *
• Serv-u.ini
• Starr.ini *
• Slog.sys
  
  in the folder, %ProgramFiles%Common FilesServices.
  

NOTES:

• The %Program Files%Common FilesServices folder is created by default when you install Internet Explorer, and thus, will already exist on most computers. However, if it does not exist, the Trojan will create it.
• The %Program Files%Common FilesServices folder may contain other files than those added by the Trojan; this folder will contain other files if Internet Explorer is installed. Only the files added by the Trojan should be deleted.
  

2. Creates these files:

• See32.dll *
• See32u.dll *
• See32z.dll *

in the %Windir% folder.

NOTES:

• %ProgramFiles% is a variable. The Trojan locates the Program Files folder, which, by default is C:Program Files. And, the Trojan creates the Services folder under the Common Files subfolder in that location.
• %Windir% is a variable. The Trojan locates the Windows installation folder (by default, this is C:Windows or C:Winnt) and copies the files to that location.
• The files marked with * are commercial or publicly available programs. They are not infected, so Symantec antivirus products do not detect them as such. For example:
  • Wwssdsu.exe and all the .bmp files are parts of the FTP server program, Serv-U.
  • Wsys.exe, Wsys.dll, and Starr.ini are parts of the iOpus STARR PC and Internet Monitoring program.
  • See32.dll is an SMTP email engine from MarshallSoft.
  • See32u.dll and See32z.dll are parts of a distributable freeware, unzip and zip .dll package.

3. Finally, W32.Manifest.Trojan adds the values:

Enumerate Service C:Program FilesCommon FilesServiceswsys.exe

Folder Service C:Program FilesCommon FilesServiceswssdtu.exe

to the registry key:

HKEY_LOCAL_MACHINESOFTWARESoftwareMicrosoftWindowsCurrentVersionRun


and the value:

Serv-U C:Program FilesCommon FilesServiceswssdsu.exe

to the registry key :

HKEY_LOCAL_MACHINESOFTWARESoftwareMicrosoftWindowsCurrentVersionRunServices

The Trojan sets the FTP server to listen on port 20.

During execution, the Trojan tries to FTP the user and system information to the Web page, home.pi.be.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

NOTE: These instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
   Restart the computer in Safe mode.
2. Run a full system scan and delete all the files detected as W32.Manifest.Trojan.
3. Reverse the changes that the Trojan made to the registry.
4. Optional: Delete the legitimate program files that were copied to your computer.

For specific details on each of these steps, read the following instructions.

1. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

• Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
• Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
  
  The Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.

2. Scanning for and deleting the infected files

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
   • For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
   • For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan All Files."
2. Run a full system scan.
3. If any files are detected as infected with W32.Manifest.Trojan, click Delete

3. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit, and then click OK. (The Registry Editor opens.)
3. Navigate to the key:
   
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
   
4. In the right pane, delete the values:
   
   Enumerate Service C:Program FilesCommon FilesServiceswsys.exe
   
   Folder Service C:Program FilesCommon FilesServiceswssdtu.exe
   
5. Navigate to the key:
   
   HKEY_LOCAL_MACHINESOFTWARESoftwareMicrosoftWindowsCurrentVersionRunServices
   
6. In the right pane, delete the value:
   
   Serv-U C:Program FilesCommon FilesServiceswssdsu.exe
   
7. Exit the Registry Editor.

4. Optional: Deleting the legitimate program files copied to the computer
Using Windows Explorer, delete these files:

NOTE: Do not delete the %ProgramFiles%Common FilesServices folder.

• %ProgramFiles%Common FilesServicesWssdsu.exe
• %ProgramFiles%Common FilesServicesWsys.exe
• %ProgramFiles%Common FilesServicesWsys.dll
• %ProgramFiles%Common FilesServicesBigfoot.bmp
• %ProgramFiles%Common FilesServicesInfospbz.bmp
• %ProgramFiles%Common FilesServicesInfospce.bmp
• %ProgramFiles%Common FilesServicesSwtchbrd.bmp
• %ProgramFiles%Common FilesServicesVerisign.bmp
• %ProgramFiles%Common FilesServicesWhowhere.bmm
• %ProgramFiles%Common FilesServicesYahoo.bmp
• %ProgramFiles%Common FilesServicesStarr.ini2.dll
• %Windir%See32.dll
• %Windir%See32u.dll
• %Windir%See32z.dll