Threat Research

Inside Win32:Allaple

Michal Krejdl, 22 May 2009

Inside Win32:Allaple

Win32:Allaple was a succesful worm few years ago. There are some instances of the worm in the wild also now, but the first boom was notably higher. The payload is a nice piece of polymorphic code, let's look how it looks and how it works.


The picture shows us the character of Allaple. The code in the new block is built from the arguments, which are moved via different ways (mov, add, or, xor, stosd have the same effect here, because the buffer was initially set to zeros). This obfuscated code continues to construct the block at 40FA84 and jump to the block immediately. Next picture shows us the mentioned code block.


We've seen this scheme before (in the first obfuscation layer). No surprise, nothing more to explain, let's move on. After finishing this block of code we can see something new, something interesting.


As described in the picture above, this code performs the decryption of another code block (which is responsible for unpacking a binary as we'll see later) and decrypts the data section (which contains the binary). The data at the beginning of first section (401000) are used to compute the decryption key. So, we have some decrypted data and another code snippet, which is shown and described bellow.


After the loading of some API functions the code tries to find its data section, which contains a PE image compressed with aPLib. Then it decompresses it and drops it. The screenshots of the packed stream (some remarkable patterns specific to LZ compressions are there) and the old well known aPLib decompressor (with its constants etc) are here:



Great, now we have the unpacked binary. It is called dmhelpserver.exe internally. It is able to register itself as a OLE object into registry and it also contains the executive part to propagate the worm over networks. Next picture shows you the list of dictionary items and the preformatted strings to construct the CLSID (it is used as the object identifier while infecting HTML pages with object injection).


The last picture will show you a part of the replicating engine. This particular snippet contains the data used to exploit a DCOM vulnerability. It's one of the ways used by Allaple to spread.


Last but not least - the original binary virustotal results and the dropped binary results