Virus:Worm/SdBot.55808.28
Date discovered:18/08/2005
Type:Worm
Subtype:ircbot
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:55.808 Bytes
MD5 checksum:30961b5fc6db0469e725a98ed0941705
VDF version:6.31.1.50

 General Methods of propagation:
   • Local network
   • Mapped network drives


Aliases:
   •  Symantec: W32.Randex
   •  Mcafee: W32/Sdbot.worm.gen.bj
   •  Kaspersky: Backdoor.Win32.SdBot.gen
   •  VirusBuster: Worm.SdBot.BBX


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Downloads malicious files
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\NAVARSVC.exe

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Video Capture Controls"="NAVARSVC.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "Microsoft Video Capture Controls"="NAVARSVC.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Video Capture Controls"="NAVARSVC.exe"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • IPC$
   • D$
   • print$
   • c$
   • Admin$
   • c$\windows\system32
   • c$\winnt\system32
   • Amin$\system32


It uses the following login information in order to gain access to the remote machine:

– The following list of passwords:
   • "zxcv"; "zxc"; "zulu"; "zombie"; "zmodem"; "zimmerman"; "zimmerma";
      "ziggy"; "zeitgeis"; "zebra"; "zap"; "yxcv"; "youwontguessme";
      "young"; "yosemite"; "yolanda"; "yellowstone"; "yellowst"; "yellow";
      "yankee"; "yang"; "yaco"; "xyzzy"; "xyz"; "xxxxxxxxx"; "xxxxxxxx";
      "xxxxxxx"; "xxxxxx"; "xxxxx"; "xxxx"; "xxx"; "xray"; "xmodem"; "xmen";
      "xman"; "xfer"; "xena"; "wyoming"; "wwwadmin"; "www"; "wwii"; "WRITE";
      "wormwood"; "worm"; "work"; "worf"; "wordperf"; "word"; "woodwind";
      "wood"; "women"; "wombat"; "woman"; "wolverin"; "wolf"; "wizard";
      "within"; "wiseass"; "wisconsin"; "wisconsi"; "wired"; "winxp";
      "winston"; "winpass"; "winnt"; "wing"; "wine"; "windozexp";
      "windozeME"; "windoze98"; "windoze95"; "windoze2k"; "windoze";
      "windowz"; "WindowsXP"; "windowsME"; "windows98"; "windows95";
      "windows2k"; "windows"; "windose"; "win98"; "win2k"; "win2000"; "win";
      "wilma"; "willie"; "williamsburg"; "williams"; "william"; "will";
      "wileecoyote"; "whore"; "wholesale"; "wholesal"; "whitney"; "whiting";
      "white"; "whisky"; "whatnot"; "whatever"; "wh0re"; "wh0r3"; "western";
      "west"; "werewolf"; "wendy"; "wendi"; "well"; "weenie"; "weed";
      "wednesda"; "webpage"; "web"; "wave"; "water"; "watchwor"; "wasp";
      "warren"; "warp"; "wargames"; "warfare"; "warez"; "ward"; "waco";
      "w00t"; "vodka"; "visualba"; "visual"; "visitor"; "virus"; "virginia";
      "virgin"; "village"; "videogam"; "video"; "victor"; "vicky";
      "vertigo"; "veronica"; "venus"; "vasant"; "vampire"; "valerie";
      "vagina"; "uwontguessme"; "uucp"; "utility"; "util"; "usmc";
      "userpassword"; "username"; "usermane"; "user1"; "User"; "USER";
      "user"; "usenet"; "ursula"; "urchin"; "uranus"; "upload"; "unlock";
      "Unknown"; "unknown"; "unix"; "universi"; "universe"; "universa";
      "uniform"; "unicorn"; "unhappy"; "undo"; "uncle"; "umesh"; "ugly";
      "tuttle"; "turnip"; "turn"; "tuesday"; "tubas"; "tty"; "truth";
      "true"; "tron"; "trombone"; "trojan"; "trivial"; "trisha"; "trek";
      "tree"; "trapdoor"; "trap"; "transfer"; "trails"; "tracy"; "tracie";
      "traci"; "toyota"; "toxic"; "tortoise"; "topography"; "topograp";
      "tomato"; "tokenrin"; "token"; "toggle"; "toad"; "tits"; "tina";
      "time"; "tiger"; "tiffany"; "thursday"; "thin"; "theresa"; "thailand";
      "text"; "tetris"; "testing"; "testin"; "tester"; "test123"; "Test";
      "test"; "TEST"; "tess"; "terminat"; "terminal"; "tera"; "tennis";
      "temptation"; "temptati"; "temp123"; "temp"; "TEMP"; "telnet";
      "telephone"; "telephon"; "teenage"; "teen"; "technical"; "tech";
      "tears"; "teapot"; "team"; "teacher"; "taylor"; "tarragon"; "target";
      "tara"; "tape"; "tango"; "tangerine"; "tangerin"; "tammy"; "tamie";
      "tami"; "tamara"; "tall"; "talk"; "tabasco"; "SYSTEM"; "system";
      "sysop"; "sysadmin"; "sys"; "symmetry"; "sybil"; "sybase"; "sword";
      "switch"; "sweat"; "swearer"; "suzie"; "suzanne"; "susie"; "susanne";
      "susan"; "surfing"; "surfer"; "supported"; "supporte"; "support";
      "supervis"; "superuser"; "superuse"; "superstage"; "supersta";
      "superson"; "superman"; "super"; "sunday"; "sun"; "summer"; "sue";
      "sucks"; "suckmydi"; "suck"; "success"; "subway"; "subscrib";
      "stuttgart"; "stuttgar"; "student1"; "student"; "strip"; "string";
      "streetfi"; "stratford"; "stratfor"; "strangle"; "strange"; "stones";
      "stoned"; "stoneage"; "steve"; "stereo"; "stephanie"; "stephani";
      "steph"; "steel"; "steal"; "steak"; "starwars"; "startup"; "startrek";
      "start"; "starship"; "star"; "Standard"; "staff"; "stacy"; "stacie";
      "staci"; "stacey"; "sr71"; "squires"; "sqlpass"; "sqlagent"; "sql";
      "spunk"; "springer"; "spring"; "spred"; "spit"; "spiderma"; "spider";
      "spice"; "spencer"; "spell"; "spear"; "sparrows"; "spaceshi";
      "spaceman"; "south"; "source"; "sossina"; "sonya"; "sonic"; "sonia";
      "sondra"; "somebody"; "software"; "soft"; "sodomy"; "socrates";
      "social"; "soap"; "snoopy"; "snatch"; "snake"; "snafu"; "snach";
      "smut"; "smtp"; "smother"; "smooch"; "smiles"; "smile"; "smart";
      "small"; "slut"; "slow"; "sliders"; "slick"; "slave"; "skull"; "site";
      "single"; "singer"; "simulati"; "simpsons"; "simple"; "simon";
      "simcity"; "silver"; "signature"; "signatur"; "sierra"; "siemens";
      "sick"; "shuttle"; "short"; "shivers"; "shiva"; "shitpot"; "shit";
      "shirley"; "shift"; "sherri"; "shell"; "sheldon"; "sheffield";
      "sheffiel"; "sharon"; "sharks"; "shark"; "SHARE"; "sharc"; "shannon";
      "sexy"; "sex"; "sesame"; "service"; "SERVER"; "server"; "serial";
      "serenity"; "sentry"; "sentinel"; "sensor"; "sega"; "seed";
      "security"; "secret"; "search"; "scriptkiddie"; "script"; "scout";
      "scotty"; "scott"; "scorpion"; "scifi"; "schoolsucks"; "school";
      "scheme"; "scamper"; "saxon"; "saturn"; "saturday"; "satanik";
      "satanic"; "satan"; "sarah"; "sara"; "sandy"; "sandra"; "sample";
      "samantha"; "sam"; "salt"; "sale"; "salami"; "sal"; "sage"; "safe";
      "ruth"; "rush"; "running"; "rules"; "rude"; "ruby"; "ruben"; "rubber";
      "RPC"; "rough"; "Ross"; "roses"; "rosemary"; "rosebud"; "rose";
      "RoscoPColtrane"; "RoscoP"; "Rosco"; "rooted"; "ROOT"; "root";
      "ronald"; "ron"; "romulan"; "romeo"; "romano"; "rolex"; "rodent";
      "rockyhor"; "rocky"; "rock"; "rochester"; "rocheste"; "rochelle";
      "robyn"; "robotics"; "robot"; "robin"; "robert"; "roach"; "rje";
      "risc"; "ripple"; "riot"; "ring"; "rightwin"; "right"; "riffraff";
      "rick"; "rich"; "rhino"; "reveal"; "resistan"; "republic"; "report";
      "rent"; "reno"; "renee"; "remote"; "release"; "regional"; "referenc";
      "redhead"; "reddawn"; "record"; "rebel"; "rebecca"; "rebal"; "reaper";
      "ream"; "really"; "reality"; "reagan"; "READ"; "razor"; "rascal";
      "rape"; "random"; "raleigh"; "raindrop"; "rainbow"; "rain"; "raid";
      "RAGE"; "rachmaninoff"; "rachmani"; "rachelle"; "rachel"; "rabbit";
      "r00t"; "qwerty"; "qwert"; "qwer"; "qwe"; "quebec"; "qaz"; "pwd";
      "pw123"; "pussy"; "puppet"; "punk"; "punisher"; "puneet"; "pumpkin";
      "puke"; "puck"; "public"; "pub"; "psychopa"; "psycho"; "protozoa";
      "protect"; "prompt"; "program"; "profile"; "professor"; "professo";
      "processo"; "proceed"; "privs"; "private"; "priv"; "printer";
      "princeton"; "princeto"; "prince"; "presto"; "prelude"; "precious";
      "praise"; "power"; "poster"; "post"; "porsche"; "porno"; "porn";
      "pork"; "poor"; "poop"; "pondering"; "ponderin"; "polynomial";
      "polynomi"; "polly"; "police"; "poetry"; "plymouth"; "pluto";
      "plover"; "playboy"; "plane"; "pizza"; "piss"; "pinname"; "pink";
      "pimp"; "pierre"; "pick"; "phuck"; "phreak"; "phrase"; "phrack";
      "photon"; "phone"; "phoenix"; "philip"; "phil"; "peter"; "pete";
      "pervert"; "persona"; "persimmon"; "persimmo"; "permit"; "perfect";
      "percolate"; "percolat"; "pepsi"; "pepper"; "peoria"; "pentium";
      "penthous"; "pentagra"; "pentagon"; "penname"; "penis"; "Penis";
      "penguin"; "penelope"; "pencil"; "pecker"; "peanuts"; "paula";
      "patty"; "patriot"; "patrick"; "patricia"; "pat"; "paste";
      "password123"; "password1"; "Password"; "PASSWORD"; "password";
      "passwd"; "passphra"; "pass1234"; "pass123"; "pass"; "pascal";
      "papers"; "paper"; "papa"; "pamela"; "pam"; "pakistan"; "paint";
      "painless"; "pad"; "packer"; "packard"; "pacific"; "oxford"; "Owner";
      "OWNER"; "owner"; "owned"; "own"; "owa"; "outside"; "output";
      "outlook"; "outlaw"; "outdoors"; "osiris"; "oscar"; "orwell";
      "orient"; "orca"; "orange"; "oracle"; "operator"; "opensesa";
      "openlock"; "opening"; "open"; "omega"; "olivia"; "olivetti";
      "oldage"; "okay"; "office"; "oemuser"; "oeminstall"; "OEM"; "oem";
      "ocelot"; "oceanography"; "oceanogr"; "obscurit"; "nyquist"; "nuts";
      "nutrition"; "nutritio"; "number"; "null"; "nukem"; "nuke"; "nude";
      "nuclear"; "noxious"; "november"; "novel"; "nova"; "noth"; "notes";
      "noreen"; "noob"; "none"; "nokia"; "node"; "nobody"; "noble";
      "nnaacp"; "nita"; "nintendo"; "Nilez"; "nightmar"; "night";
      "nicotine"; "nicole"; "nice"; "next"; "newyork"; "newton"; "newsgrou";
      "news"; "newborn"; "new"; "network"; "netscape"; "netfuck";
      "netdevil"; "netbios"; "net-devil"; "net"; "ness"; "neptune";
      "nepenthe"; "neil"; "navy"; "nasa"; "napoleon"; "nancy"; "name";
      "nagel"; "mypc123"; "mypc"; "mypass123"; "mypass"; "mutant";
      "muppets"; "msdos"; "mpeg"; "mozart"; "movies"; "movie"; "move";
      "mouse"; "mountain"; "mosaic"; "mortgage"; "mortalco"; "mortal";
      "morris"; "morley"; "more"; "moose"; "moor"; "moom"; "monica";
      "monday"; "moguls"; "mogul"; "modem"; "mode"; "mkii"; "mit";
      "mission"; "misfit"; "mirc"; "minsky"; "minimum"; "mine"; "mike";
      "midieval"; "microsof"; "micropro"; "microchi"; "micro"; "mickey";
      "michelle"; "michele"; "michelan"; "michel"; "michael"; "mice"; "mgr";
      "mets"; "metalica"; "metalhea"; "metal"; "merlin"; "mercury"; "menu";
      "menace"; "memory"; "member"; "melrose"; "mellon"; "melissa"; "megan";
      "megadeth"; "megabyte"; "meagan"; "maurice"; "Matthew"; "Matt";
      "math"; "Mat"; "master"; "mass"; "mason"; "mary"; "marvin"; "marty";
      "mars"; "marriage"; "marni"; "markus"; "mark"; "marines"; "marijuan";
      "marietta"; "mariens"; "maria"; "marcy"; "marci"; "mara"; "manager";
      "mana"; "malcom"; "malcolm"; "maint"; "main"; "mail"; "magnet";
      "magic"; "maggot"; "macro"; "mack"; "macintosh"; "macintos";
      "machine"; "lynne"; "lynn"; "lust"; "luke"; "lude"; "lucy"; "lucus";
      "luck"; "lover"; "lovebug"; "love"; "louis"; "loser"; "lorraine";
      "lorin"; "lori"; "lore"; "loose"; "lolopc"; "lol"; "lois"; "logout";
      "loginwor"; "loginpass"; "Login"; "login"; "logic"; "lockword";
      "lockout"; "lock"; "LOCAL"; "load"; "liz"; "live"; "literatu"; "lisp";
      "lisa"; "lips"; "lion"; "linux"; "link"; "linda"; "limited";
      "limbaugh"; "lima"; "lightsab"; "light"; "life"; "licker"; "lick";
      "library"; "liberal"; "lexluthe"; "lewis"; "letmein"; "leslie";
      "lesbian"; "leroy"; "leland"; "legal"; "leftwing"; "left"; "leet";
      "lee"; "lebesgue"; "leah"; "lazer"; "lazarus"; "lava"; "laura";
      "laser"; "larry"; "larkin"; "lara"; "laptop"; "lana"; "lan";
      "lamination"; "laminati"; "lambda"; "lakers"; "ladle"; "ladies";
      "l33t"; "l337"; "kristy"; "kristine"; "kristin"; "kristie"; "kristi";
      "kristen"; "krista"; "known"; "knightma"; "knight"; "knife";
      "klingon"; "kitten"; "kissmyas"; "kiss"; "kirkland"; "kirk"; "king";
      "kimberly"; "kim"; "kilo"; "killthem"; "killer"; "kill"; "kids";
      "kiddie"; "keyword"; "keyin"; "keybord"; "key"; "kewl"; "kevin";
      "kerry"; "kerrie"; "kerri"; "kernel"; "kermit"; "keri"; "kelly";
      "katrina"; "katina"; "katie"; "kathy"; "kathrine"; "kathleen"; "kate";
      "katana"; "karina"; "karie"; "karen"; "kaka"; "jupiter"; "june";
      "juliet"; "julie"; "julia"; "juicy"; "juggle"; "judy"; "judith";
      "joyce"; "joy"; "journal"; "joshua"; "joseph"; "johnny"; "johndoe";
      "john"; "joe"; "jody"; "joanne"; "joan"; "jixian"; "jill"; "jewelry";
      "jester"; "jessica"; "jerusale"; "jerry"; "jenny"; "jennifer";
      "jenni"; "jen"; "jeff"; "jeanne"; "jean"; "jazz"; "java"; "jasmin";
      "japan"; "janie"; "janice"; "janet"; "jane"; "jail"; "jackie"; "isis";
      "irule"; "irishman"; "irene"; "Inviter"; "invent"; "intranet";
      "internet"; "Internet"; "integer"; "inside"; "input"; "innocuous";
      "innocuou"; "inna"; "ingrid"; "ingress"; "ingres"; "indians";
      "indiana"; "indian"; "india"; "include"; "imperial"; "immortal";
      "imbroglio"; "imbrogli"; "image"; "illumina"; "ihavenopass";
      "icecream"; "ibm"; "ian"; "hypertxt"; "hyper"; "hydrogen"; "hutchins";
      "hunter"; "hunt"; "http"; "hotel"; "hotdog"; "host"; "horus"; "horse";
      "horror"; "horrible"; "horny"; "hooters"; "hooker"; "honey";
      "homework"; "homeuser"; "homer"; "homepage"; "home"; "hollywoo";
      "holly"; "hole"; "hits"; "hitler"; "highland"; "high"; "hidden";
      "hibernia"; "hiawatha"; "hexadeci"; "hewlett"; "heroin"; "hero";
      "herbert"; "herb"; "help"; "hello"; "hell"; "heinlein"; "heidi";
      "hebrides"; "heaven"; "heather"; "heathen"; "heat"; "headoffice";
      "headbang"; "head"; "haxing"; "hax0r"; "hax"; "hawaii"; "haven";
      "hate"; "harvey"; "harold"; "harmony"; "harddriv"; "hardcore"; "hard";
      "happening"; "happenin"; "handjob"; "handily"; "handel"; "hamster";
      "hamlet"; "hallowee"; "hal"; "hair"; "hagar"; "hacker"; "hacked";
      "hack"; "h4x1ng"; "h4x0ring"; "h4x0r1ng"; "guntis"; "gumption";
      "guitar"; "Guest"; "GUEST"; "guest"; "guessme"; "guess"; "gucci";
      "guardian"; "gryphon"; "group"; "green"; "great"; "grant"; "grand";
      "grahm"; "graham"; "grades"; "govermen"; "gouge"; "gosling"; "gorges";
      "gorgeous"; "good"; "golfer"; "golf"; "golden"; "gold"; "godblessyou";
      "god"; "gobo"; "gnu"; "glen"; "glacier"; "girl"; "ginger"; "gina";
      "gigabyte"; "gibson"; "ghost"; "gertrude"; "germ"; "george"; "gauss";
      "gatt"; "gatherin"; "gateway"; "Gast"; "garfield"; "gardner"; "games";
      "gabriel"; "fungible"; "function"; "fun"; "FULL"; "fudge"; "fuckyou";
      "fuckme"; "fucking"; "fucker"; "fucked"; "fuck"; "fubar"; "fryguy";
      "frog"; "frighten"; "friends"; "friend"; "friday"; "french";
      "freedom"; "free"; "freddy"; "fred"; "freak"; "frank"; "france";
      "foxtrot"; "fourier"; "forsythe"; "fornicat"; "format"; "form";
      "forever"; "foresight"; "foresigh"; "ford"; "force"; "football";
      "foolproof"; "foolproo"; "fool"; "food"; "foobar"; "flowers";
      "flower"; "florida"; "float"; "flakes"; "fishers"; "fish"; "firewall";
      "fire"; "finite"; "FILES"; "file"; "fight"; "field"; "fidelity";
      "ferrari"; "fermat"; "fender"; "felicia"; "feds"; "fear"; "fast";
      "fart"; "faraday"; "farad"; "family"; "false"; "falcon"; "faith";
      "fairway"; "extension"; "extensio"; "explosiv"; "explorer"; "explore";
      "explode"; "expert"; "exchnge"; "exchange"; "evelyn"; "euclid";
      "eternity"; "estate"; "establish"; "establis"; "ersatz"; "erotic";
      "erin"; "erika"; "erica"; "eric"; "erenity"; "enzyme"; "enterprise";
      "enterpri"; "enter"; "english"; "england"; "engineer"; "engine";
      "enemy"; "enable"; "emmanuel"; "emily"; "emerald"; "email"; "ellen";
      "elizabeth"; "elizabet"; "elephant"; "electron"; "elanor"; "elaine";
      "einstein"; "einsiein"; "eileen"; "eiderdown"; "eiderdow"; "egghead";
      "edwina"; "edwin"; "education"; "educatio"; "edu"; "edition"; "edit";
      "edinburgh"; "edinburg"; "edges"; "eddie"; "echo"; "eatme"; "easy";
      "easier"; "earth"; "eagle"; "eager"; "dyke"; "dungeon"; "duncan";
      "dulce"; "duke"; "duelist"; "dudette"; "dude"; "dud3"; "duck";
      "drought"; "drive"; "drdoom"; "dragon"; "download"; "dos"; "dope";
      "doors"; "door"; "doonesbu"; "doomsday"; "doomii"; "doom2"; "doom";
      "dong"; "donaldduck"; "domainpassword"; "domainpass"; "domain";
      "dollar"; "dog"; "doctor"; "display"; "disney"; "diskette"; "disk";
      "discovery"; "discover"; "disclose"; "discipli"; "disc"; "dirty";
      "director"; "direct"; "dipshit"; "dinosaur"; "digital"; "dieter";
      "diet"; "diehard"; "dick"; "dice"; "diane"; "diana"; "diamond";
      "dial"; "devil"; "device"; "develop"; "desperate"; "desperat";
      "desktop"; "desk"; "desiree"; "dennis"; "denise"; "democrat"; "demo";
      "DEMO"; "deluge"; "delta"; "Dell"; "dell"; "defoe"; "Default";
      "DEFAULT"; "default"; "deck"; "december"; "debug"; "deborah";
      "debbie"; "deb"; "deathsta"; "death"; "dead"; "dbpassword"; "dbpass";
      "db1234"; "db1"; "dawn"; "dave"; "databasepassword"; "databasepass";
      "database"; "data"; "darkaven"; "dark"; "dapper"; "danny"; "danielle";
      "daniel"; "dancer"; "dana"; "daisy"; "daemon"; "d00d"; "cynthia";
      "cyberspa"; "cyberpun"; "cyber"; "customer"; "cunt"; "ctx"; "cshrc";
      "crystal"; "cristina"; "criminal"; "crime"; "cretin"; "creosote";
      "credit"; "creature"; "creation"; "create"; "cream"; "crash";
      "crackpot"; "crack"; "cowboy"; "couscous"; "country"; "counters";
      "correct"; "cornelius"; "corneliu"; "copy"; "cops"; "copper";
      "cooper"; "cool"; "cookie"; "cookbook"; "cook"; "control"; "continue";
      "console"; "conserva"; "connie"; "connect"; "condom"; "condo";
      "comrades"; "comrade"; "computin"; "computer"; "compaq"; "company";
      "commrades"; "commrade"; "commit"; "comics"; "combat"; "color";
      "collins"; "cold"; "cola"; "coke"; "coin"; "coffee"; "codeword";
      "codename"; "code"; "cock"; "cocainco"; "cocacola"; "coast";
      "clusters"; "cluster"; "clinton"; "cleavage"; "claymore"; "claudia";
      "classic"; "classes"; "class"; "cisco"; "cindy"; "cigarett"; "cigar";
      "CHT"; "christy"; "christine"; "christina"; "christin"; "chris";
      "chip"; "chester"; "chess"; "chemistry"; "chemistr"; "chem"; "CHECK";
      "chat"; "charon"; "charming"; "charlie"; "charles"; "charity";
      "Changeme"; "changeme"; "change"; "cerulean"; "celtics"; "celtic";
      "celt"; "cecily"; "cayuga"; "cave"; "cathy"; "catholic"; "catherine";
      "catherin"; "cat"; "castle"; "cash"; "cascades"; "carson"; "carrie";
      "caroline"; "carolina"; "carole"; "carol"; "carmen"; "carla"; "caren";
      "cardinal"; "card"; "capture"; "captain"; "capitol"; "cantor";
      "candy"; "candi"; "camping"; "campanile"; "campanil"; "camille";
      "californ"; "cad"; "butthead"; "butt"; "butch"; "burn"; "burgess";
      "bung"; "bumbling"; "bullshit"; "bulls"; "bsd"; "brutefor"; "brute";
      "brunette"; "bruce"; "brothel"; "broadway"; "bridget"; "brian";
      "brenda"; "breast"; "break"; "bravo"; "brandy"; "brandi"; "bradley";
      "boyscout"; "BOTH"; "born"; "book"; "boobs"; "boob"; "boner"; "bomb";
      "bob"; "board"; "blues"; "blue"; "blowjob"; "blow"; "bloodaxe";
      "blood"; "blondie"; "blonde"; "blank"; "black"; "bla"; "bitnet";
      "bitmap"; "bitch"; "bishop"; "bird"; "bios"; "binary"; "billy";
      "bill"; "bigfoot"; "bicameral"; "bicamera"; "bible"; "beverly";
      "betty"; "betsie"; "beth"; "beta"; "beryl"; "berliner"; "berlin";
      "berkeley"; "beowulf"; "benz"; "beloved"; "bell"; "behead"; "begin";
      "beethoven"; "beethove"; "becky"; "beaver"; "beauty"; "beater";
      "beast"; "bear"; "beammeup"; "beach"; "batman"; "batch"; "bassoon";
      "bass"; "basic"; "baseball"; "bartman"; "bart"; "baritone"; "barf";
      "bare"; "barber"; "barbara"; "banks"; "bank"; "bandit"; "bananas";
      "banana"; "ball"; "bailey"; "badass"; "backup"; "BACKUP"; "backdoor";
      "bacchus"; "baby"; "babe"; "azure"; "aztecs"; "authoriz"; "attack";
      "atom"; "atmosphere"; "atmosphe"; "athena"; "asshole"; "asm"; "asian";
      "asdfgh"; "asdf"; "asd"; "artist"; "arthur"; "arrow"; "army";
      "arlene"; "ariadne"; "aria"; "april"; "apollo13"; "anything";
      "anvils"; "anthropogenic"; "anthropo"; "anthrax"; "answer";
      "anonymou"; "anon"; "annette"; "anne"; "anna"; "ann"; "anita";
      "animals"; "animal"; "angie"; "angerine"; "angela"; "anfo"; "andy";
      "andromache"; "andromac"; "android"; "andrea"; "anchor"; "anarchy";
      "anarchis"; "analog"; "anal"; "amy"; "amorphous"; "amorphou";
      "america"; "amber"; "amanda"; "amadeus"; "ama"; "alphabet"; "alpha";
      "allow"; "allison"; "alison"; "alisa"; "alicia"; "alice"; "aliases";
      "alias"; "algebra"; "alf"; "Alexander"; "alexande"; "Alex"; "alex";
      "alert"; "albert"; "albatross"; "albatros"; "albany"; "alaska";
      "Al3x"; "airplane"; "aids"; "afro"; "aerobics"; "adult"; "adrianna";
      "adrian"; "Administrator"; "ADMINISTRATOR"; "administrator";
      "Administrateur"; "Administrador"; "admin123"; "Admin"; "ADMIN";
      "admin"; "adm"; "adam"; "ada"; "action"; "accounts"; "accounting";
      "account"; "access"; "ACCESS"; "accept"; "academic"; "academia";
      "abcd"; "abc123"; "abc"; "aaa"; "88888888"; "654321"; "54321"; "2600";
      "2003"; "2002"; "123qwe"; "123asd"; "123abc"; "1234qwer"; "123467890";
      "12346789"; "1234678"; "123467"; "12346"; "123456789"; "12345678";
      "1234567"; "123456"; "12345"; "1234"; "123123"; "123"; "121212";
      "121"; "11111111"; "111111"; "111"; "110"; "0wned"; "0wn3d"; "007";
      "00000000"; "000000"; "00000"; "0000"; "000"; "!@; $%^&*"; "!@; $%^&";
      "!@; $%^"; "!@; $%"; "!@; $"



Exploit:
It makes use of the following Exploit:
– MS04-011 (LSASS Vulnerability)

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: 82.33.136.**********
Port: 6667
Channel: #temple
Nickname: [WTF]-[IZIT]%random character string%
Password: boss



– This malware has the ability to collect and send information such as:
    • CPU speed
    • Free disk space
    • Free memory
    • Malware uptime
    • Platform ID


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS SYN flood
    • Disable network shares
    • Download file
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Perform port redirection
    • Send emails
    • Terminate malware
    • Upload file

 Backdoor The following port is opened:

%SYSDIR%\NAVARSVC.exe on TCP port 113

 Stealing It tries to steal the following information:

– The following CD keys:
   • Project IGI 2
   • Command & Conquer Generals
   • FIFA 2003
   • Need For Speed: Hot Pursuit 2
   • Soldier Of Fortune 2
   • NeverWinter Nights
   • Rainbow Six III RavenShield
   • Battlefield 1942
   • Counter-Strike
   • Unreal Tournament 2003
   • Half-Life

 Miscellaneous Mutex:
It creates the following Mutex:
   • itunesv1.3

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
   • Morphine
   • UPX

Description inserted by Sergiu Oprea on Friday, August 19, 2005
Description updated by Sergiu Oprea on Tuesday, August 30, 2005

Back . . . .