Nume:TR/IRCBot.LZ.4
Descoperit pe data de:26/09/2005
Tip:Troian
ITW:Nu
Numar infectii raportate:Scazut
Potential de raspandire:Mediu
Potential de distrugere:Mediu
Fisier static:Da
Marime:83.436 Bytes
MD5:f110d9ac3ed4e96d3d25db7a5d93d99d
Versiune VDF:6.32.0.44

 General Metoda de raspandire:
   • Reteaua locala


Alias:
   •  Symantec: Backdoor.Sdbot
   •  Kaspersky: Backdoor.Win32.Agobot.afp
   •  TrendMicro: WORM_SDBOT.CHG
   •  F-Secure: W32/Sdbot.MBM
   •  VirusBuster: Worm.SdBot.BJL
   •  Bitdefender: Backdoor.RBot.CBS


Sistem de operare:
   • Windows NT
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Creeaza fisiere
   • Reduce setarile de securitate
   • Modificari in registri
   • Posibilitatea accesului neautorizat la computer

 Fisiere Se copiaza in urmatoarea locatie:
   • %SYSDIR%\winsvc32.exe



Sterge copia initiala a virusului.



Sunt create fisierele:

– Fisiere temporare care pot fi sterse dupa aceea:
   • %TEMPDIR%\oo.reg
   • c:\a.bat

 Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Services"="winsvc32.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "Windows Services"="winsvc32.exe"



Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
   • "AllowUnqualifiedQuery"=dword:00000000
   • "PrioritizeRecordData"=dword:00000001
   • "TCP1320Opts"=dword:00000003
   • "KeepAliveTime"=dword:00023280
   • "BcastQueryTimeout"=dword:000002ee
   • "BcastNameQueryCount"=dword:00000001
   • "CacheTimeout"=dword:0000ea60
   • "Size/Small/Medium/Large"=dword:00000003
   • "LargeBufferSize"=dword:00001000
   • "SynAckProtect"=dword:00000002
   • "PerformRouterDiscovery"=dword:00000000
   • "EnablePMTUBHDetect"=dword:00000000
   • "FastSendDatagramThreshold "=dword:00000400
   • "StandardAddressLength "=dword:00000018
   • "DefaultReceiveWindow "=dword:00004000
   • "DefaultSendWindow"=dword:00004000
   • "BufferMultiplier"=dword:00000200
   • "PriorityBoost"=dword:00000002
   • "IrpStackSize"=dword:00000004
   • "IgnorePushBitOnReceives"=dword:00000000
   • "DisableAddressSharing"=dword:00000000
   • "AllowUserRawAccess"=dword:00000000
   • "DisableRawSecurity"=dword:00000000
   • "DynamicBacklogGrowthDelta"=dword:00000032
   • "FastCopyReceiveThreshold"=dword:00000400
   • "LargeBufferListDepth"=dword:0000000a
   • "MaxActiveTransmitFileCount"=dword:00000002
   • "MaxFastTransmit"=dword:00000040
   • "OverheadChargeGranularity"=dword:00000001
   • "SmallBufferListDepth"=dword:00000020
   • "SmallerBufferSize"=dword:00000080
   • "TransmitWorker"=dword:00000020
   • "DNSQueryTimeouts" =hex(7):31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00,38,00,00,00,30,00,00,00,00,00
   • "DefaultRegistrationTTL"=dword:00000014
   • "DisableReplaceAddressesInConflicts"=dword:00000000
   • "DisableReverseAddressRegistrations"=dword:00000001
   • "UpdateSecurityLevel "=dword:00000000
   • "DisjointNameSpace"=dword:00000001
   • "QueryIpMatching"=dword:00000000
   • "NoNameReleaseOnDemand"=dword:00000001
   • "EnableDeadGWDetect"=dword:00000000
   • "EnableFastRouteLookup"=dword:00000001
   • "MaxFreeTcbs"=dword:000007d0
   • "MaxHashTableSize"=dword:00000800
   • "SackOpts"=dword:00000001
   • "Tcp1323Opts"=dword:00000003
   • "TcpMaxDupAcks"=dword:00000001
   • "TcpRecvSegmentSize"=dword:00000585
   • "TcpSendSegmentSize"=dword:00000585
   • "TcpWindowSize"=dword:0007d200
   • "DefaultTTL"=dword:00000030
   • "TcpMaxHalfOpen"=dword:0000004b
   • "TcpMaxHalfOpenRetried"=dword:00000050
   • "TcpTimedWaitDelay"=dword:00000000
   • "MaxNormLookupMemory"=dword:00030d40
   • "FFPControlFlags"=dword:00000001
   • "FFPFastForwardingCacheSize"=dword:00030d40
   • "MaxForwardBufferMemory"=dword:00019df7
   • "MaxFreeTWTcbs"=dword:000007d0
   • "GlobalMaxTcpWindowSize"=dword:0007d200
   • "EnablePMTUDiscovery"=dword:00000001
   • "ForwardBufferMemory"=dword:00019df7



Urmatoarele chei din registri sunt modificate:

– [HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
   Vechea valoare:
   • "TransportBindName"=%setarile utilizatorului%
   Noua valoare:
   • "TransportBindName"=""

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Vechea valoare:
   • "Start"=%setarile utilizatorului%
   Noua valoare:
   • "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
   Vechea valoare:
   • "Start"=%setarile utilizatorului%
   Noua valoare:
   • "Start"=dword:00000004

– [HKLM\SYSTEM\ControlSet001\Services\wscsvc]
   Vechea valoare:
   • "Start"=%setarile utilizatorului%
   Noua valoare:
   • "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Vechea valoare:
   • "restrictanonymous"=%setarile utilizatorului%
   Noua valoare:
   • "restrictanonymous"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\
   Protocols\PCT1.0\Server]
   Vechea valoare:
   • "Enabled"=%setarile utilizatorului%
   Noua valoare:
   • "Enabled"=hex:00

– [HKLM\SOFTWARE\Microsoft\Ole]
   Vechea valoare:
   • "EnableDCOM"="%setarile utilizatorului%
     "EnableRemoteConnect"="%setarile utilizatorului%
   Noua valoare:
   • "EnableDCOM"="N"
     "EnableRemoteConnect"="N"
     

– [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
   Vechea valoare:
   • "AutoShareWks"=%setarile utilizatorului%
     "AutoShareServer"=%setarile utilizatorului%
   Noua valoare:
   • "AutoShareWks"=dword:00000000
     "AutoShareServer"=dword:00000000

– [HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
   Vechea valoare:
   • "NameServer"=""%setarile utilizatorului%
     "ForwardBroadcasts"=%setarile utilizatorului%
     "IPEnableRouter"=%setarile utilizatorului%
     "Domain"=%setarile utilizatorului%
     "SearchList"=%setarile utilizatorului%
     "UseDomainNameDevolution"=%setarile utilizatorului%
     "EnableICMPRedirect"=%setarile utilizatorului%
     "DeadGWDetectDefault"=%setarile utilizatorului%
     "DontAddDefaultGatewayDefault"=%setarile utilizatorului%
     "EnableSecurityFilters"=%setarile utilizatorului%
   Noua valoare:
   • "NameServer"=""
     "ForwardBroadcasts"=dword:00000000
     "IPEnableRouter"=dword:00000000
     "Domain"=""
     "SearchList"=""
     "UseDomainNameDevolution"=dword:00000001
     "EnableICMPRedirect"=dword:00000000
     "DeadGWDetectDefault"=dword:00000001
     "DontAddDefaultGatewayDefault"=dword:00000000
     "EnableSecurityFilters"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   Vechea valoare:
   • "MaxConnectionsPer1_0Server"=%setarile utilizatorului%
     "MaxConnectionsPerServer"=%setarile utilizatorului%
   Noua valoare:
   • "MaxConnectionsPer1_0Server"=dword:00000050
     "MaxConnectionsPerServer"=dword:00000050

 Reţea Foloseste urmatoarele date de logare, pentru a controla sistemul la distanta:

– Lista de utilizatori:
   • administrator; administrador; administrateur; administrat; admins;
      admin; staff; computer; owner; student; teacher; wwwadmin; guest;
      default; database; oracle; linux; admin; ADMIN; Admin; admin123;
      Administrador; Administrateur; administrator; ADMINISTRATOR;
      Administrator; guest; Guest; default; DEFAULT; Default; LOCAL

– Lista de parole:
   • password; PASSWORD; Password; system; SYSTEM; GUEST; ADMIN; PASSWORD;
      SHARE; WRITE; FILES; ACCESS; BACKUP; SYSTEM; SERVER; LOCAL; passwd;
      database; abc123; xxxxx; xxxxxx; xxxxxxx; xxxxxxxx; xxxxxxxxx; 00000;
      000000


 IRC Pentru a trimite informatii si pentru a fi controlat se conecteaza la serverul IRC:

Server: 152.23.204.55
Port: 4891
Canal: #update
Nick: USA-%sir de 5 caractere aleatoare%
Parola: w32z



– Acest malware poate obtine si trimite infomatii cum ar fi:
    • Captura ecranului
    • Captura imagine de pe webcam
    • Viteza procesorului
    • Utilizatorul curent
    • Spatiu liber pe disc
    • Memorie nealocata
    • Informatii despre retea
    • Informatii despre procesele sistemului
    • Cantitatea de memorie
    • Utilizator


– In plus, poate efectua urmatoarele operatii:
    • conectare server IRC
    • Lanseaza atacuri DDoS ICMP
    • Lanseaza atacuri DDoS SYN
    • Lanseaza atacuri DDoS TCP
    • Lanseaza atacuri DDoS UDP
    • dezactivare DCOM
    • dezactivarea partajarii de resurse in retea
    • deconectare server IRC
    • descarcare fisier
    • activare DCOM
    • activarea partajarii de resurse in retea
    • executarea unui fisier
    • intrare pe canal IRC
    • parasire canal IRC
    • deschidere consola
    • executare atac DDoS
    • Scaneaza reteaua
    • redirectionare porturi
    • Porneste keylog
    • terminare proces malware
    • terminare proces
    • Se actualizeaza singur
    • Face upload la un fisier

 Furt de informatii Incearca sa obtina urmatoarele informatii:
– Windows Product ID

– Urmatoarele CD-keys:
   • Counter-Strike (Retail); The Gladiators; Gunman Chronicles; Half-Life;
      Industry Giant 2; Legends of Might and Magic; Soldiers Of Anarchy;
      Unreal Tournament 2003; Unreal Tournament 2004; IGI 2: Covert Strike;
      Freedom Force; Battlefield 1942; Battlefield 1942 (Road To Rome);
      Battlefield 1942 (Secret Weapons of WWII); Battlefield Vietnam; Black
      and White; Command and Conquer: Generals (Zero Hour); James Bond 007:
      Nightfire; Command and Conquer: Generals; Global Operations; Medal of
      Honor: Allied Assault; Medal of Honor: Allied Assault: Breakthrough;
      Medal of Honor: Allied Assault: Spearhead; Need For Speed Hot Pursuit
      2; Need For Speed: Underground; Shogun: Total War: Warlord Edition;
      FIFA 2002; FIFA 2003; NHL 2002; NHL 2003; Nascar Racing 2002; Nascar
      Racing 2003; Rainbow Six III RavenShield; Command and Conquer:
      Tiberian Sun; Command and Conquer: Red Alert; Command and Conquer: Red
      Alert 2; NOX; Chrome; Hidden & Dangerous 2; Soldier of Fortune II -
      Double Helix; Neverwinter Nights; Neverwinter Nights (Shadows of
      Undrentide); Neverwinter Nights (Hordes of the Underdark)

– Parola din programul:
   • winlogon

– Este pornita o rutina de logare dupa ce viziteaza un site care contine unul din urmatoarele siruri de caractere in URL:
   • paypal
   • PAYPAL
   • paypal.com
   • PAYPAL.COM

– Face captura la:
    • Datele introduse de la tastatura
    • Informatii de logare

 Detaliile fisierului Limbaj de programare:
 Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).


Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit urmatorul program de arhivare:
   • PE Pack

Die Beschreibung wurde erstellt von Razvan Olteanu am Dienstag, 27. September 2005
Die Beschreibung wurde geändert von Razvan Olteanu am Freitag, 30. September 2005

zurück . . . .