Destructive malware - a closer look at an SMB worm tool

19 January 2015


 View Christopher Doman’s profile on LinkedIn

On December 19 US-CERT released an alert, TA14-353A, relating to seven tools used to target a major entertainment company.

Some, such as the “Network Propagation Wiper” have been well described before.  Less well known, however, is the SMB Worm Tool which US-CERT describes as follows:

“SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.”


The US-CERT alert doesn’t contain file hashes (only import hashes) which makes directly identifying particular samples more difficult. However, there is a file that closely matches the signature for the SMB Worm Tool:

Original Filename: SVCH0ST.EXE

MD5: 61bf45be644e03bebd4fbf33c1c14be2

Compilation Timestamp: 2014-10-16 05:00:56

Uploaded to VirusTotal: 2014-12-19 20:19:38 (from the US)

Mutex: Global\FwtSqmSession106829323_S-1-5-19

Resources: Korean

This sample (SVCH0ST.EXE) matches the fairly unique mutex of the US-CERT sample.  It also matches another string (“EVERYONE”) and contains a somewhat similar “leet speak” string:

 [email protected]!llyid!07,ou74n60u7f001

 [email protected]!11yid60u7f!07ou74n001

 US CERT Alert


Inspection of SVCH0ST.EXE shows it to contain the functionality required for a SMB worm. Whilst this isn’t the exact malware sample referenced by US CERT, it appears to be closely related.

SMB Worms

The basic concept of an SMB worm is similar to that of the original Morris worm from 1988. A SANS paper from 2001 describes the typical operation of a SMB worm. A typical SMB worm:

  • Uses a password dictionary to attempt authentication to remote network shares;
  • Copies itself over to the victim system via the network share; and,
  • Remotely executes itself on the victim system, for example via psexec or remotely scheduled tasks.


The sample SVCH0ST.EXE contains functionality for:

  • Brute forcing authentication to network shares using a dictionary of passwords;
  • Copies the malware across to the Administrator (Admin$) network share; and,
  • Executes the malware using remotely scheduled tasks.

In evidence that attackers really do read industry reports, the first ten passwords in the dictionary used to brute force access to network shares are from Trustwave’s 2014 Business Password Analysis:





 [email protected]






Command Line Parameters

-i Installs malware and initiates network connectivity.

The malware copies itself to “System\Svchost.exe”, then writes the following to the file “mscvcr.bat”:

 @echo off


 del /a %1

 if exist %1 goto D1

 del /a %0


This batch file is then executed with “cmd /c msvcr.bat {malware.exe}”. This has the effect of repeatedly attempting to delete the original malware file.

-s: Initiates network connectivity.

Mitigation Options

There are a number of potential mitigations against this type of threat:

  • Consider employing key mitigation strategies to targeted attacks (such as application whitelisting);
  • Prevent the success of dictionary attacks on network shares by enforcing strong password policies;
  • Auditing multiple failed SMB connections is a good practice which will alert in this case;
  • We see a number of threat actors employing remotely scheduled tasks in order to move laterally across networks. Typically this is done by attackers on the command prompt the “at” command, however as seen here malware can use the trick too; and,
  • The original SANS article on SMB Worms suggests disabling the task scheduling service as an option to limit the capabilities of worms to spread, however doing so can prevent required Windows Updates. Remote task scheduling can be limited through firewall settings, where appropriate.

Yara Rule

The following rule can be used to detect SMB Worm Tool on disk:

 rule smbWormTool



 author = "PwC Cyber Threat Operations"

 description = "SMB Worm Tool"

 version = "1.0"

 created = "2014-12-30"

 osint_ref =


 exemplar_md5 = "61bf45be644e03bebd4fbf33c1c14be2"


 $STR1 = "%s\\Admin$\\%s.exe" wide ascii nocase

 $STR2 ="NetScheduleJobAdd" wide ascii nocase

 $STR3 = "SetServiceStatus failed, error code" wide   ascii nocase

 $STR4 = "LoadLibrary( NTDLL.DLL ) Error" wide ascii   nocase

 $STR5 = "NTLMSSP" wide ascii nocase


 all of them





Targeted Destructive Malware,

FBI Flash Alert A-000044-MW

The BH01 Worm,

2014 Business Password Analysis,

Viewing events for assessing NTLM usage,

Worm Activity - Brute Force,

Why You Shouldn’t Disable The Task Scheduler Service in Windows 7 and Windows 8,

Configure Firewall Port Requirements for Group Policy,

Strategies to Mitigate Targeted Cyber Intrusions,


Further information

For more in-depth coverage, including full details of the analysis behind this blog as well as additional indicators which can be used to detect similar samples, or if you have any other queries, please give us a shout at [email protected]