infectionvectors.com - block the vector. stop golten.

Golten Alert

infectionvectors.com

November 2004

Vectors: Email/Fileshares with weak passwords/EMF Vulnerability in

Windows (MS04-032)

Impact: Medium (Trojan/Proxy established by worm; low distribution)

Golten (used by CA & Trend currently, Aler at F-Secure) is a worm with an interesting propagation routine. It was initially mass mailed to users but does not use additional messages to spread (save users that forward the legitimate looking pictures on to others). The email message looks like this:

Subject: Latest News about Arafat !!!

Attachments: arafat_1.emf, arafat_2.emf

Message Body:

Hello Guys,

Latest News about Arafat!

Unimaginable!!!!!!

The attachment “arafat_1.emf” is simply a picture, the “arafat_2.emf” file, however, contains exploit code designed to work on boxes not patched with the “Security Update for Windows” (MS04-032, 840987) patch. This is the first worm to use this overflow to inject malicious code onto a machine.

Once executed, the worm unpacks a dropper (“SP00LSV.EXE”), which copies itself, the backdoor component, and the file share propagation mechanism to the local machine. Once running, Golten attempts to connect to Windows machines by selecting addresses at random and logging in with the credentials of the user of the infected box. In addition, the worm carries a short password list that it uses in addition to the current user’s credentials.

For the password list that Golten uses, see this file. It is much shorter than the generic lists seen in some of the bot variants, for examples used in some copies of Agobot, check here and here.

Golten offers many lessons to security administrators in one viral package: test and deploy patches quickly (MS04-032 is from October 2004), audit shares (especially default shares) regularly for weak passwords, and educate users about suspicious mail (with particular emphasis on the opening anything with an attachment).