Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Wootbot.U.19
Date discovered:13/12/2012
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:86.528 Bytes
MD5 checksum:ba095353aa5ce13c7358feb9af70f0c2
VDF version:7.11.53.216

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: W32.Spybot.Worm
   •  Kaspersky: Backdoor.Win32.Wootbot.u
   •  VirusBuster: Worm.Wootbot.CJ


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\msfirewall.exe



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Windows Firewall "="msfirewall.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   • "Microsoft Windows Firewall "="msfirewall.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Windows Firewall "="msfirewall.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   • "Microsoft Windows Firewall "="msfirewall.exe"



The following registry keys are added in order to load the services after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "Microsoft Windows Firewall "="msfirewall.exe"

– HKLM\SYSTEM\CurrentControlSet\Services\fear]
   • "Type"=dword:00000020
   • "Start"=dword:00000004
   • "ErrorControl"=dword:00000001
   • "ImagePath"="%SYSDIR%\msfirewall.exe" -netsvcs
   • "DisplayName"="Microsoft Windows Firewall "
   • "ObjectName"="LocalSystem"
   • "FailureActions"=hex:ff,ff,ff,ff,00,00,00,00,00,00,00,00,01,00,00,00,41,00,63,\
   • 00,01,00,00,00,01,00,00,00
   • "DeleteFlag"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\fear\Enum]
   • "0"="Root\\LEGACY_FEAR\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEAR\0000]
   • "Service"="fear"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Microsoft Windows Firewall "

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEAR\0000\Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="fear"

– [HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent]
   • @=dword:0000000b

– [HKLM\SYSTEM\CurrentControlSet\Services\fear\Security]
   • "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
      00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
      00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
      05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
      20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
      00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
      00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploit:
– MS04-011 (LSASS Vulnerability)


Infection process:
Creates a TFTP script on the compromised machine in order to download the malware to the remote location.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: 202.91.**********
Port: 6667
Channel: #myf0r#
Nickname: [H]%six-digit random character string%
Password: f0r333



– This malware has the ability to collect and send the following information:
    • Cached passwords


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Edit registry
    • Join IRC channel
    • Leave IRC channel
    • Open remote shell
    • Upload file

 Backdoor The following port is opened:

%executed file% on a random TCP port in order to provide an FTP server.

 Stealing It tries to steal the following information:
– Windows Product ID

– The following CD keys:
   • "Unreal Tournament 2004"; "Unreal Tournament 2003"; "The Gladiators";
      "Soldier Of Fortune 2"; "Soldiers Of Anarchy: "; "Shogun: Total War:
      Warlord Edition"; "Ravenshield"; "Neverwinter Nights"; "Need For
      Speed: Underground"; "Need For Speed: Hot Pursuit 2"; "NHL 2003"; "NHL
      2002"; "Nascar Racing 2003"; "Nascar Racing 2002"; "Medal of Honor:
      Allied Assault: Spearhead "; "Medal of Honor: Allied Assault:
      Breakthrough"; "Medal of Honor: Allied Assault"; "James Bond 007:
      Nightfire"; "Industry Giant 2"; "IGI2: Covert Strike"; "Hidden and
      Dangerous 2"; "Half-Life"; "Gunman Chronicles"; "Global Operations";
      "Freedom Force: "; "FIFA 2003: "; "FIFA 2002: "; "Counter-Strike";
      "Command and Conquer: Tiberian Sun"; "Command and Conquer: Red
      Alert2"; "Command and Conquer: Generals: Zero Hour"; "Command and
      Conquer: Generals"; "Black and White"; "Battlefield 1942: Vietnam";
      "Battlefield 1942: The Road To Rome"; "Battlefield 1942: Secret
      Weapons Of WWII"; "Battlefield 1942"

– Passwords from the following programs:
   • Yahoo! messenger
   • ICQ messenger
   • AIM messenger

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Neolite 2.0

Description inserted by Catalin Jora on Tuesday, August 2, 2005
Description updated by Catalin Jora on Tuesday, August 23, 2005

Back . . . .