W95.Sma

SUMMARY

W95.Sma is an oligomorphic stealth virus which affects Windows 9x environments. It is network-aware and has a payload that runs arbitrary code that originates from a specific IP address.

Protection

• Virus Definitions (LiveUpdate™ Weekly) June 12, 2002
• Virus Definitions (Intelligent Updater) June 6, 2002

TECHNICAL DETAILS

W95.Sma is the first stable stealth virus to run on Windows 9x-based systems. (W95.Zerg, the previous attempt at stealth by virus writers in this environment, had errors and crashed very quickly.)

When W95.Sma is run on Windows 9x-based computers, it switches to ring0 context and hooks the calls to the file system. Then it infects files when they are accessed. When the virus is resident it attempts to hide all modifications made to the files when they are read. It generally succeeds in doing so.

The virus contains a routine that listens on port 53357 and accepts any incoming data that are sent to it. After the data are accepted, the virus executes these data in ring0 context.

The text "NetSt0rm 1.0" is encrypted into the body of the virus. This suggests that the backdoor functionality might be used by the virus author to perform a Distributed Denial Of Service attack through the infected hosts.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

To remove this virus:

1. Update the virus definitions.
2. Boot the computer from a clean boot disk.
3. Run the Norton AntiVirus DOS scanner. Delete all files that are detected as W95.Sma and replace them with backup copies.

For details on how to do this, read the following instructions.

To obtain the most recent virus definitions:
There are two ways to do this:

• Run LiveUpdate. LiveUpdate is the easiest way to obtain virus definitions. These virus definitions have undergone full quality assurance testing by Symantec Security Response and are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
• Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.
  
  Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.

To boot the computer from a boot disk:

1. Shut down Windows, turn off the power, and then wait 30 seconds. Do not simply press the reset button.
2. Insert a DOS boot disk or Windows Startup disk, which you know to be uninfected, into the floppy disk drive.
3. Restart the computer. It will boot to a command prompt.

To run the Norton AntiVirus DOS scanner:

1. At the A:> command prompt, type the following commands, and press Enter after each one:
   
   c:
   dir /s /b avdx.exe
   
   This changes to drive C and displays the path to the Norton AntiVirus DOS scanner. If NAV is installed on a different drive, then change to the root of that drive first. The default is C:Program FilesNorton AntiVirus.
   
2. Change to the folder that contains Navdx.exe. You must use short file names. For example, if NAV is installed to C:Program FilesNorton AntiVirus, then type the following:
   
   cd program~1 orton~1
   
3. Type the following command:
   
   navdx /a /doallfiles /delete [Enter]
   
   This will delete any files that are detected as infected with W95.Sma. Restore deleted files from a clean backup; if they are program files, reinstall the programs.
   
   CAUTION: This could take several hours or more on some computers. Do not attempt to stop the scan after it has started.