Virus:Worm/IRCBot.EV.1
Date discovered:24/08/2005
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:38.400 Bytes
MD5 checksum:7551ca56b533e6ba86d3c0b2b4c8485e
VDF version:6.31.1.158

 General Methods of propagation:
   • Local network
   • Mapped network drives


Aliases:
   •  Symantec: W32.IRCBot
   •  Kaspersky: Backdoor.Win32.IRCBot.ev
   •  TrendMicro: BKDR_IRCBOT.AS
   •  Sophos: W32/Sdbot-Fam
   •  VirusBuster: Worm.SdBot.BDZ
   •  Bitdefender: BehavesLike:Win32.IRC-Backdoor


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\WOWCRAK.EXE

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "MEsnemd"="wowcrak.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "MEsnemd"="wowcrak.exe"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • C$\windows\system32\
   • C$\Documents and Settings\All Users\Documents\
   • C$\shared\
   • C$\winnt\system32\
   • ADMIN$\system32\


It uses the following login information in order to gain access to the remote machine:

– The following list of passwords:
   • 123qwe123; zaqxsw; zaq123; motdepass; **********; billgate;
      billgates; fred; bill; intranet; staff; teacher; student1; student;
      user1; afro; turnip; glen; freddy; internet; lan; nokia; ctx; 666;
      qweasdzxc; zxcvbnm; 123qaz; 123qwe; qwe123; qazwsx; qweasd; zxc123;
      pass1234; pwd; pass; passwd; admin; administrador; administrateur;
      administrator



Exploit:
It makes use of the following Exploit:
– MS04-011 (LSASS Vulnerability)

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: **********.mybizz.info
Port: 1125
Channel: #mm
Nickname: E%eight-digit random character string%


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Enable network shares
    • Join IRC channel
    • Leave IRC channel
    • Start spreading routine

 Miscellaneous Mutex:
It creates the following Mutex:
   • vwevqwdw

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
   • Morphine
   • FSG

Description inserted by Alexandru Tudor on Thursday, August 25, 2005
Description updated by Alexandru Tudor on Monday, August 29, 2005

Back . . . .