Virus:Worm/Pakes.02
Date discovered:21/07/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:High
Static file:Yes
File size:94.208 Bytes
MD5 checksum:D8660E27C7342CDFFBEE98EA0D815DDC
VDF version:6.30.0.183

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: W32.Spybot.Worm
   •  Mcafee: W32/Sdbot.worm.gen.i
   •  Kaspersky: Trojan.Win32.Pakes
   •  TrendMicro: WORM_SDBOT.BVA
   •  Sophos: W32/Rbot-AHZ


Platforms / OS:
   • Windows 2000
   • Windows XP


Side effects:
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\sytem32\testtts.exe



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "TTS Sync"="testtts.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "TTS Sync"="testtts.exe"



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Ole]
   Old value:
   • "EnableDCOM"="Y"
   New value:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • "restrictanonymous"=dword:00000000
   New value:
   • "restrictanonymous"=dword:00000001

 Network Infection It uses the following login information in order to gain access to the remote machine:

– The following list of usernames:
   • "Zytowski"; "Zwiers"; "Zurn"; "Zucconi"; "Zoldak"; "Zerbini";
      "Zegans"; "Zangwill"; "Zahedi"; "Zachary"; "Youk-See"; "Yoo"; "Yoffe";
      "Yetiv"; "Yesson"; "Yedidia"; "Ybarra"; "Yates"; "Yarchuk"; "Yankee";
      "Yamane"; "Yacono"; "Votey"; "Vorhaus"; "Woods-Powell"; "Woods";
      "Wooden"; "Woo"; "VonHoffman"; "Wolk"; "Voigt"; "Viviani"; "Vitali";
      "Wilson"; "Willstatter"; "Villarreal"; "Wilkinson"; "Wilkin"; "Wilk";
      "Wilhelm"; "Wilder"; "Vignola"; "Viens"; "Wiener"; "Wiedersheim";
      "Viano"; "Viana"; "Whittaker"; "Whitla"; "White"; "Whilton";
      "Whately"; "Wetzel"; "Wescott"; "Verghese"; "Venne"; "Wengret";
      "Welsh"; "Welles"; "Velasquez"; "Weissman"; "Weissbourd"; "Weinhaus";
      "Weingarten"; "Weighart"; "Waugh"; "Vasquez"; "Wasowska";
      "Warshafsky"; "Vanheeckeren"; "Vandenberg"; "VanZwet"; "vanAllen";
      "Walter"; "Wallenberg"; "Wales"; "Valencia"; "Valberg"; "Waite";
      "Vacca"; "Uzuner"; "Usdan"; "Urdang-Brown"; "Urban"; "Upsdell";
      "Untermeyer"; "Ullman"; "Tzamarias"; "Twells"; "Tuttle"; "Turek";
      "Turano"; "Tukan"; "Tudge"; "Tuck"; "Tsukurov"; "Tsomides"; "Tsiatis";
      "Truss"; "Troy"; "Troiani"; "Tringali"; "Trewin"; "Trenga";
      "Traebert"; "Toye"; "Towler"; "Torske"; "Torresi"; "Topulos";
      "Toomer"; "Tomford"; "Tolman"; "Tolls"; "Tollestrup"; "Tofallis";
      "Timmons"; "Till"; "Tierney"; "Throop"; "Thomsen"; "Thisted";
      "Thibault"; "Theodos"; "Thavaneswaran"; "Than"; "Terracini"; "Tenney";
      "Temmer"; "Temes"; "Teague"; "Tcherepnin"; "Tawn"; "Taveras"; "Tatar";
      "Tanowitz"; "Tandler"; "Tambiah"; "Talaugon"; "Tai"; "Tagiuri";
      "Swindle"; "Sweetser"; "Sweeting"; "Surdam"; "Suo"; "Sumner";
      "Sullivan"; "Stringer"; "Streiff"; "Strauch"; "Strange"; "Stott";
      "Storer"; "Stonich"; "Stolzenberg"; "Stockwell"; "Stockton"; "Stock";
      "Stillwell"; "Stiepock"; "Stewart-Oaten"; "Stepniewska"; "Stephanian";
      "Steiner"; "Stefani"; "Statlender"; "States"; "Stassinopolus";
      "Stang"; "Stam"; "Stalvey"; "StMartin"; "Spinrad"; "Spiliotis";
      "Spiegelhalter"; "Spicer"; "Sperber"; "Spence"; "Speizer";
      "Spaulding"; "Sparrow"; "Spanier"; "Soultanian"; "Soule"; "Soukup";
      "Sottak"; "Sorg"; "Sorabella"; "Sommariva"; "Somers"; "Solon";
      "Socolow"; "Snodgrass"; "Sniffen"; "Smilow"; "Slowe"; "Sloan";
      "Skoda"; "Skerry"; "Skane"; "Sites"; "Sirilli"; "Sinsabaugh";
      "Silvetti"; "Silverman"; "Signa"; "Sigini"; "Sigalot"; "Siesto";
      "Shimon"; "Shibata"; "Shia"; "Shesko"; "Shepstone"; "Sheppard";
      "Shepherd"; "Sheats"; "Shea"; "Shavelson"; "Shatrov"; "Shar";
      "Shanley"; "Shankland"; "Shakis"; "Shaikh"; "Seyfert"; "Sexton";
      "Seterdahl"; "Sennett"; "Sen"; "Selvage"; "Sekler"; "Segal"; "Seeber";
      "Seaton"; "Scudder"; "Scovel"; "Schwickrath"; "Schwan"; "Schuyler";
      "Schutte"; "Schuman"; "Schossberger"; "Schmitt"; "Schilling";
      "Schifini"; "Schiano"; "Scheiner"; "Scharlemann"; "Scharf"; "Scepan";
      "Scarponi"; "Sayied"; "Sawtell"; "Satterthwaite"; "Satta"; "Satin";
      "Sase"; "Sartore"; "Sarin"; "Sapers"; "Sanna"; "Sanchez-Ramirez";
      "Samson"; "Sali"; "Sahu"; "Safire"; "Sadler"; "Sabatello"; "Ryu";
      "Rush"; "Ruescher"; "Ruderman"; "Ruan"; "Royal"; "Row"; "Ronen";
      "Rogers"; "Roesler"; "Rocha"; "Robinson"; "Rivera"; "Rish"; "Rineer";
      "Rindos"; "Rielly"; "Richmond"; "Rhea"; "Resnik"; "Repetto"; "Renick";
      "Remak"; "Reinold"; "Cunningham"; "Reedquist"; "Redden-Tyler";
      "Rayport"; "Rapple"; "Rankin"; "Rangan"; "Raney"; "Rajagopalan";
      "Radeke"; "Rabkin"; "Rabe"; "Quetin"; "Quaday"; "Pynchon"; "Pugh";
      "Puccia"; "Prothrow-Stith"; "Proietti"; "Pritz"; "Pritchard";
      "Prevost"; "Preucel"; "Presper"; "Powers"; "Poolman"; "Poma";
      "Politis"; "Polanyi"; "Polak"; "Poirier"; "Pointer"; "Poincaire";
      "Pocobene"; "Plous"; "Plasket"; "Plant"; "Plancon"; "Pinot";
      "Pilbeam"; "Pfister"; "Pettit"; "Pettibone"; "Petruzello"; "Peters";
      "Perrimon"; "Perone"; "Perna"; "Perlman"; "Perlak"; "Perko";
      "Pereira"; "Penny"; "Peishel"; "Pederson"; "Pearlberg"; "Peabody";
      "Paynter"; "Pawloski"; "Pavlon"; "Pavetti"; "Pattullo"; "Patrick";
      "Patefield"; "Pascucci"; "Partridge"; "Parris"; "Parmeggiani";
      "Paoletti"; "Pantilla"; "Panizzon"; "Panadero"; "Palmitesta";
      "Pallara"; "Palepu"; "Palayoor"; "Paine"; "PaesDealmeida"; "Ovid";
      "Ouchida"; "Otten"; "Ottaviani"; "Ostrowski"; "Ospina"; "Orsi";
      "Orfield"; "Oray"; "Opel"; "O'meara"; "Oman"; "O'malley"; "Olszewski";
      "Olson"; "Olsen"; "Oldford"; "O'hagan"; "Ogata"; "Ocougne"; "Nuzum";
      "Notman"; "Nitabach"; "Nisenson"; "Nickoloff"; "Nickerson"; "Newlin";
      "Newfeld"; "Neuman"; "Nesci"; "Nenna"; "Nelson"; "Nayduch"; "Naviaux";
      "Nardone"; "Nardi"; "Napolitano"; "Naddeo"; "Mussachio"; "Mumford";
      "Mulroy"; "Mulkern"; "Mugnai"; "Muello"; "Mudarri"; "Motooka";
      "Mostafavi"; "Mosler"; "Mosher"; "Mortimer"; "Morrow"; "Morrison";
      "Moreton"; "Morani"; "MooreDeCh."; "Montilio"; "Monque"; "Moiamedi";
      "Mohr"; "Moeller"; "Modestino"; "Mocroft"; "Mittal"; "Mitropoulos";
      "Gonzalez"; "Minichiello"; "Mini"; "Minh"; "Mills"; "Mieher";
      "Middle"; "Michelman"; "Meurer"; "Metropolis"; "Metelka"; "Merz";
      "Merseth"; "Merminod"; "Merlani"; "Merikoski"; "Menzies"; "Memisoglu";
      "Meccariello"; "Mcnulty"; "Mcnealy"; "Mclaren"; "Mclane"; "Mckenna";
      "Mcintosh"; "McIlroy"; "Mcgoldrick"; "Mcghee"; "McFadden"; "Mcelroy";
      "Mcdowell"; "Mcclearn"; "Mccall"; "Mccaffery"; "Mcbride"; "Mazziotta";
      "Mazzali"; "May"; "Mauzy"; "Mattson"; "Matsukata"; "Matarazzo";
      "Matalka"; "Mass"; "Marubini"; "Marton"; "Martochio"; "Martinez";
      "Marques"; "Margetts"; "Margalit"; "Marcus"; "Marchbanks"; "March";
      "Mantovan"; "Manganiello"; "Mandel"; "Manalis"; "Malova"; "Maller";
      "Malatesta"; "Maisano"; "Maine-Hershey"; "Maier"; "Mahony"; "Maggio";
      "Madigan"; "Macy"; "MacMillan"; "Mackenney"; "Macintyre";
      "Maceachern"; "Macdonald"; "Maccormac"; "Luzader"; "Lutcavage";
      "Lussier"; "Luoma"; "Lunetta"; "Luecke"; "Luczkow"; "Luciano";
      "Lucas"; "Lubin"; "Loza"; "Lowenstein"; "Loveman"; "Loss";
      "Longworth"; "Locatelli"; "Lizardo"; "Livolsi"; "Livi"; "Livernash";
      "Litvak"; "Little"; "Lipponen"; "Lippmann"; "Linzee"; "Linehan";
      "Line"; "Linder"; "Linda"; "Linares"; "Lim"; "Lightfoot"; "Light";
      "Liem"; "Lidano"; "Liakos"; "Lessi"; "Lesser"; "l'Enclos"; "Lenard";
      "Leite"; "Leclercq"; "Lecce"; "Lecar"; "Lawless"; "Lashley";
      "Laserna"; "Lanzit"; "Lantieri"; "Lankes"; "Landes"; "Lallemant";
      "Laing"; "Lafler"; "Labunka"; "Kuwabara"; "Kusman"; "Kumar";
      "Kuenzli"; "Krysiak"; "Kroemer"; "Kraus"; "Krasney"; "Krailo";
      "Kraemer"; "Kovaks"; "Kotter"; "Korzybski"; "Kool"; "Konrad";
      "Koniaris"; "Kommer"; "Koivumaki"; "Kohn"; "Koch"; "Kobrick"; "Knuff";
      "Klint"; "Klinkenborg"; "Kling"; "Klemperer"; "Kleinfelder";
      "Kleiman"; "Kleckner"; "Kittridge"; "Kirscht"; "Kippenberger";
      "Kinsley"; "Kindall"; "Kimura"; "Kimmett"; "Kimmel"; "Khong"; "Keul";
      "Kerry"; "Kendall"; "Kemsley"; "Kempton"; "Kelsey"; "Kelker"; "Keith";
      "Keepper"; "Keenan"; "Kee"; "Kawachi"; "Kasten"; "Kassower";
      "Karpouzes"; "Kangis"; "Kamel"; "Kalman"; "Kalinowski"; "Kalil";
      "Kaligian"; "Kalbfleisch"; "Kafadar"; "Kaboolian"; "Kabbash";
      "Julious"; "Juliano"; "Jucks"; "Jorgensen"; "Jolly"; "Johns";
      "Johannsen"; "Johannesson"; "Jewett"; "Jespersen"; "Jenkins";
      "Jellis"; "Jeffers"; "Jay"; "Jarrell"; "Jarnagin"; "Janjigian";
      "Jamil"; "Jain"; "Jagoe"; "Jagger"; "Jagers"; "Jackson"; "Jacenko";
      "Iyer"; "Isserman"; "Isbill"; "Isaievych"; "Isaac"; "Inniss";
      "Inamura"; "Igarashi"; "Ichikawa"; "Iaquinta"; "Hyde"; "Hutchings";
      "Hurtubise"; "Hupp"; "Huntington"; "Hungerford"; "Huidekoper"; "Huey";
      "Hoy"; "Howard"; "Hottle"; "Hostage"; "Hoshida"; "Horsley"; "Hopkins";
      "Hooker"; "Holzman"; "Holway"; "Holter"; "Holoien"; "Holmes";
      "Hokoda"; "Hokanson"; "Hoffman"; "Hoffer"; "Hock"; "Hoang";
      "Hitchcock"; "Hirst"; "Hind"; "Himmelfarb"; "Heyeck"; "Heubert";
      "Hester"; "Herrera"; "Hernandez"; "Henrichs"; "Henery"; "Hemphill";
      "Helprin"; "Hellmiss"; "Hellman"; "Heiland"; "Heft"; "Heermans";
      "Hazlewood"; "Haynes"; "Hayes"; "Hawkes"; "Haviaras"; "Harwell";
      "Hartnett"; "Hartmann"; "Hartman"; "Harrigan"; "Harlow"; "Hargraves";
      "Harding"; "Hanssen"; "Hand"; "Hammerness"; "Hamer"; "Hambarzumjan";
      "Halpert"; "Hallowell"; "Halkias"; "Haley"; "Hackshaw"; "Hackman";
      "Haar"; "Guo"; "Gunn"; "Guenthart"; "Gruppe"; "Gruner"; "Grummell";
      "Grigoletto"; "Griffiths"; "Greenfeld"; "Greenberg"; "Gravell";
      "Gozzi"; "Goody"; "Goodearl"; "Good"; "Goncalves"; "Goldfarb";
      "Glendon"; "Glegg"; "Gleason"; "Gist"; "Gillispie"; "Gill"; "Gili";
      "Gilbert"; "Gibson"; "Gibbens"; "Ghorai"; "Gerrett"; "Georgi";
      "Gemberling"; "Geller"; "Garonna"; "Garman"; "Garfield"; "Gambini";
      "Galwey"; "Galeotti"; "Gaggiotti"; "Gabrielli"; "Fusaro"; "Furth";
      "Fuller"; "Fujii-Abe"; "Frye"; "Fryberger"; "Frowiss"; "Frisken";
      "Friedland"; "Fried"; "Freundlich"; "Freid"; "Frazier-Davis"; "Franz";
      "Franklin-Kenea"; "Francisco"; "Fossi"; "Fossey"; "Fortier"; "Fortes";
      "Forester"; "Folks"; "Flores"; "Flier"; "Fitzmaurice"; "Fisk";
      "Fiorina"; "Finnegan"; "Finkelstein"; "Fink"; "Field"; "Fido";
      "Feuer"; "Ferriell"; "Ferrante"; "Fernandes"; "Fernald"; "Feldman";
      "Fejzo"; "Feigenbaum"; "Fates"; "Fasso'"; "Farren"; "Farone"; "Faris";
      "Falorsi"; "Falco-Acosta"; "Faioes"; "Fagan"; "Fabbris"; "Everett";
      "Euripides"; "Etter"; "Estes"; "Espinoza"; "Erez"; "Erdos"; "Erdman";
      "Erbach"; "Eppling"; "Enyeart"; "Encinas"; "Elvis"; "Elmerick";
      "Elmendorf"; "Eliasson"; "Eickenhorst"; "Edward"; "Edner"; "Edley";
      "Eckel"; "Ebeling"; "Eardley"; "Dwyer"; "Dussault"; "Durrett";
      "Duffin"; "D'souza"; "Drinker"; "Dowsland"; "Doug"; "Doty"; "Dosi";
      "Dorf"; "Dore"; "Doonan"; "Donner"; "Donahue"; "Doherty"; "Dockery";
      "Dirksen"; "Dionysius"; "Dilworth"; "Difronzo"; "Difabio";
      "Diefenbach"; "Dicks"; "D'fini"; "Deutsch"; "Desombre"; "Denison";
      "Denham"; "Denault"; "Demusz"; "Dempster"; "Deming"; "Dell'acqua";
      "Delger"; "Deleon-Rendon"; "Delattre"; "Defeciani"; "Dees"; "Debroff";
      "deRousse"; "del'Enclos"; "DeLaPena"; "DeGennaro"; "Dawkins"; "David";
      "Daskalu"; "Dasgupta"; "Das"; "D'arcangelo"; "Dapice"; "Dante";
      "Danieli"; "D'Ambra"; "Daly"; "Daldalian"; "daSilva"; "Cyders";
      "Cvek"; "Cutler"; "Currier"; "Cui"; "Croxton"; "Croxen"; "Croshaw";
      "Crocker"; "Crawford"; "Coutaux"; "Counter"; "Cosmides"; "Cornish";
      "Corey"; "Connors"; "Condodina"; "Concino"; "Comstock"; "Compton";
      "Collis"; "Collard"; "Colella"; "Coldren"; "Coito"; "Coblenz"; "Clow";
      "Clifton"; "Clement"; "Clark"; "Clancy"; "Claffey"; "Cifarelli";
      "Cicero"; "Ciampaglia"; "Church"; "Chupasko"; "Chu"; "Christopher";
      "Christie"; "Christiano"; "Christian"; "Christenson"; "Chinman";
      "Chinipardaz"; "Childs"; "Childress"; "Chien"; "Chiassino";
      "Chervinsky"; "Cherry"; "Cheang"; "Charles"; "Chapman"; "Cerioli";
      "Ceniceros"; "Cavell"; "Cavanagh"; "Castelda"; "Caspar"; "Case";
      "Cascio"; "Cartmill"; "Carper"; "Caroti"; "Carmichael"; "Carlyle";
      "Carlos"; "Carlin"; "Carayannopoulos"; "Caratozzolo"; "Capursi";
      "Cappuccio"; "Capodilupo"; "Capocaccia"; "Caperton"; "Capanni";
      "Canley"; "Cammilleri"; "Cammelli"; "Calnan"; "Cage"; "Byrd";
      "Byerly"; "Byatt"; "Busetta"; "Burridge"; "Burke"; "Burdzy"; "Burden";
      "Bunton"; "Bullard"; "Budding"; "Buchan"; "Brzycki"; "Brook"; "Broca";
      "Britz"; "Brinton"; "Bridges"; "Bridgeman"; "Brewer"; "Brennan";
      "Brenan"; "Breed"; "Brecht"; "Bradach"; "Bradac"; "Bracalente";
      "Boyne"; "Boym"; "Boyland"; "Boyes"; "Boyajian"; "Boxer"; "Bowers";
      "Bourneuf"; "Boudrot"; "Boudin"; "Botosh"; "Bothman"; "Bossi";
      "Borden"; "Borack"; "Boorstin"; "Boone"; "Bookbinder"; "Book";
      "Bontempo"; "Boniface"; "Bonham"; "Boner"; "Bologna"; "Bollinger";
      "Bolick"; "Bolger"; "Blyth"; "Bloxham"; "Bloemhof"; "Bloembergen";
      "Bloch"; "Blizard"; "Bliss"; "Blanke"; "Blakemore"; "Blagg";
      "Blackwell"; "Blackbourn"; "Bisho"; "Bisema"; "Bir"; "Binion";
      "Bickel"; "Biagioli"; "Beynart"; "Betti"; "Berrizbeitia"; "Bernston";
      "Bernassola"; "Bernardo"; "Berke-Jenkins"; "Bergson"; "Benedict-Dye";
      "Belloc"; "Bellini"; "Bellhouse"; "Bellavance"; "Belin-Collart";
      "Belfer"; "Belaoussof"; "Belanger"; "Behenna"; "Bedford"; "Beder";
      "Beckman"; "Bean"; "Beal"; "Beacon"; "Bayo"; "Bayles"; "Baumiller";
      "Batchelder"; "Bashevis"; "Basavappa"; "Bartoo"; "Bartolome";
      "Bartholomew"; "Barry"; "Barriola"; "Barnett"; "Barneson"; "Barbetti";
      "Barberi"; "Baranowska"; "Baranczak"; "Barajas"; "Barabesi"; "Banta";
      "Baltz"; "Ballew"; "Ballatori"; "Baleja"; "Bakanowsky"; "Bailar";
      "Bagnold"; "Baglivo"; "Bady"; "Backus"; "Bachmuth"; "Azima"; "Ayling";
      "Aykroyd"; "Ayiemba"; "Axworthy"; "Axelrod"; "Aurelius"; "Augustus";
      "Atkins"; "Arky"; "Arjas"; "Aristotle"; "Arellano"; "Arduini";
      "Arbia"; "Antos"; "Anthony"; "Ansley"; "Anfinrud"; "Andron";
      "Andrelus"; "Ando"; "Andel"; "Anand"; "Amsden"; "Ameer"; "Amatangelo";
      "Amaral"; "Altenhofen"; "Altenberger"; "Altavilla"; "Alongi";
      "Allison"; "Aleks"; "Alda"; "Alcorn"; "Alavi"; "Ahlers"; "Adorno";
      "Adibe"; "Adelstein"; "Addison"; "Adams"; "Ackerman"; "Abdulrazak"

– The following list of passwords:
   • "intranet"; "lan"; "main"; "winpass"; "blank"; "office"; "control";
      "nokia"; "siemens"; "compaq"; "dell"; "cisco"; "ibm"; "orainstall";
      "sqlpassoainstall"; "sql"; "db1234"; "db1"; "databasepassword";
      "data"; "databasepass"; "dbpassword"; "dbpass"; "access";
      "domainpassword"; "domainpass"; "domain"; "hello"; "hell"; "god";
      "sex"; "slut"; "bitch"; "fuck"; "exchange"; "backup"; "technical";
      "loginpass"; "login"; "mary"; "katie"; "kate"; "george"; "eric";
      "chris"; "ian"; "neil"; "lee"; "brian"; "susan"; "sue"; "sam"; "luke";
      "peter"; "john"; "mike"; "bill"; "fred"; "joe"; "jen"; "bob"; "qwe";
      "zxc"; "asd"; "qaz"; "win2000"; "winnt"; "winxp"; "win2k"; "win98";
      "windows"; "oeminstall"; "oemuser"; "oem"; "user"; "homeuser"; "home";
      "accounting"; "accounts"; "internet"; "www"; "web"; "outlook"; "mail";
      "qwerty"; "null"; "server"; "system"; "changeme"; "linux"; "unix";
      "demo"; "none"; "test"; "2004"; "2003"; "2002"; "2001"; "2000";
      "1234567890"; "123456789"; "12345678"; "1234567"; "123456"; "12345";
      "1234"; "123"; "007"; "pwd"; "pass"; "pass1234"; "passwd"; "password";
      "password1"; "adm"; "db2"; "oracle"; "dba"; "database"; "default";
      "guest"; "wwwadmin"; "teacher"; "student"; "owner"; "computer";
      "root"; "staff"; "admin"; "admins"; "administrat"; "administrateur";
      "administrador"; "administrator"

It makes use of the following Exploits:
– MS03-026 (Buffer Overrun in RPC Interface)
– MS04-011 (LSASS Vulnerability)

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: irc.mysupanet.biz on port
Port: 24556
Channel: #.n3wer.#
Nickname: [M][n3w3r



– This malware has the ability to collect and send information such as:
    • Cached passwords
    • Capture screen
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Information about running processes
    • Size of memory
    • Username
    • Windows directory


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS TCP flood
    • Launch DDoS UDP flood
    • Disable DCOM
    • Disable network shares
    • Download file
    • Enable DCOM
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Kill process
    • Leave IRC channel
    • Open remote shell
    • Perform DDoS attack
    • Perform port redirection
    • Send emails
    • Terminate malware
    • Terminate process
    • Upload file
    • Visit a website

 Process termination List of processes that are terminated:
   • i11r54n4.exe; irun4.exe; d3dupdate.exe; rate.exe; ssate.exe;
      winsys.exe; winupd.exe; SysMonXP.exe; bbeagle.exe; Penis32.exe;
      teekids.exe; MSBLAST.exe; mscvb32.exe; sysinfo.exe; PandaAVEngine.exe;
      wincfg32.exe; taskmon.exe; zonealarm.exe; navapw32.exe; navw32.exe;
      zapro.exe; msblast.exe; netstat.exe; msconfig.exe; regedit.exe


 Stealing – Windows Product ID

– The following CD keys:
   • Neverwinter Nights (Hordes of the Underdark); Neverwinter Nights
      (Shadows of Undrentide); Neverwinter Nights; Soldier of Fortune II -
      Double Helix; Hidden & Dangerous 2; Chrome; NOX; Command and Conquer:
      Red Alert 2; Command and Conquer: Red Alert; Command and Conquer:
      Tiberian Sun; Rainbow Six III RavenShield; Nascar Racing 2003; Nascar
      Racing 2002; NHL 2003; NHL 2002; FIFA 2003; FIFA 2002; Shogun: Total
      War: Warlord Edition; Need For Speed: Underground; Need For Speed Hot
      Pursuit 2; Medal of Honor: Allied Assault: Spearhead; Medal of Honor:
      Allied Assault: Breakthrough; Medal of Honor: Allied Assault; Global
      Operations; Command and Conquer: Generals; James Bond 007: Nightfire;
      Command and Conquer: Generals (Zero Hour); Black and White;
      Battlefield Vietnam; Battlefield 1942 (Secret Weapons of WWII);
      Battlefield 1942 (Road To Rome); Battlefield 1942; Freedom Force; IGI
      2: Covert Strike; Unreal Tournament 2004; Unreal Tournament 2003;
      Soldiers Of Anarchy; Legends of Might and Magic; Industry Giant 2;
      Half-Life; Gunman Chronicles; The Gladiators; Counter-Strike (Retail)

Description inserted by Andrei Gherman on Wednesday, August 3, 2005
Description updated by Andrei Gherman on Friday, August 19, 2005

Back . . . .