Full description

Nume:	BDS/Codbot.AE.1
Descoperit pe data de:	13/12/2012
Tip:	Backdoor Server
ITW:	Da
Numar infectii raportate:	Scazut
Potential de raspandire:	Mediu
Potential de distrugere:	Mediu
Fisier static:	Da
Marime:	49.152 Bytes
MD5:	15870257aa24dac575191161c4d52781
Versiune VDF:	7.11.53.216

General Metoda de raspandire:
   • Reteaua locala

Alias:
   • Symantec: W32.Toxbot
   • Mcafee: W32/Sdbot.worm.gen.w
   • Kaspersky: Backdoor.Win32.Codbot.ae
   • TrendMicro: WORM_SDBOT.BJA
   • VirusBuster: Worm.Codbot.S

Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Creeaza fisiere malware
   • Inregistreaza intrarile de la tastatura
   • Modificari in registri
   • Profita de vulnerabilitatile softului
   • Posibilitatea accesului neautorizat la computer

Fisiere Se copiaza in urmatoarea locatie:
• %SYSDIR%\netddeclnt.exe

Sterge copia initiala a virusului.

Este creat fisierul:

– Un fisier temporar care poate fi sters dupa aceea:
• %TEMPDIR%\del.bat

Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a incarca serviciile la repornirea sistemului:

– HKLM\SYSTEM\CurrentControlSet\Services\NetDDEclnt]
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"="%directorul de activare malware%\\%fisier executat%"
   • "DisplayName"="Network DDE Client"
   • "ObjectName"="LocalSystem"
   • "FailureActions"=hex:05,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,42,00,42,\
   • 00,01,00,00,00,01,00,00,00
   • "Description"="Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers."

– HKLM\SYSTEM\CurrentControlSet\Services\NetDDEclnt\Enum]
   • "0"="Root\\LEGACY_NETDDECLNT\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001
   • "INITSTARTFAILED"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\NetDDEclnt\Security]
   • "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
      00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
      00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
      05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
      20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
      00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
      00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NetDDEclnt]
   • @="Service"

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEclnt]
   • @="Service

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETDDECLNT\0000]
   • "Service"="NetDDEclnt"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Network DDE Client"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETDDECLNT\0000\
   Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="NetDDEclnt"

Reţea Pentru a-si asigura raspandirea, programul malware incearca sa contacteze alte sisteme, asa cum este descris in continuare:

Exploit:
Foloseste urmatoarele vulnerabilitati:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS03-007 (Unchecked Buffer in Windows Component)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS04-011 (LSASS Vulnerability)

Procesul de infectare:
Se creeaza un script FTP in sistemul afectat, pentru a descarcaun malware pe alt computer controlat la distanta.

Reducerea vitezei:
– Datorita surselor multiple de infectie declansate, computerul infectat devine o masina lenta si greu de utilizat.

IRC Pentru a trimite informatii si pentru a fi controlat se conecteaza la serverul IRC:

Server: %necunoscut%
Canal: #exploit

Server: %necunoscut%
Canal: #raw

– Acest malware poate obtine si trimite infomatii cum ar fi:
    • Viteza procesorului
    • Spatiu liber pe disc
    • Memorie nealocata
    • Informatii despre retea
    • ID-ul platformei
    • Informatii despre procesele sistemului
    • Director sistem
    • Directorul Windows

Furt de informatii Incearca sa obtina urmatoarele informatii:

– O rutina de logare este pornita dupa ce se tasteaza unul din urmatorele texte:
   • bank
   • login
   • paypal
   • e-bay
   • ebay

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).

Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit urmatorul program de arhivare:
• PE-Crypt.Antideb

Description inserted by Catalin Jora on Wednesday, August 3, 2005
Description updated by Catalin Jora on Tuesday, August 23, 2005

Back . . . .

Become an Avira Partner

Want to be the leading provider of small and medium business security? Become an Avira partner and offer your customers powerful, cost-effective security trusted by over 100 million users worldwide.

Discover the Avira Partner Program Enroll as an Avira partner today

Already a Partner?

. . . .

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools