Virus:DR/IRCBot.8184.B
Date discovered:19/08/2005
Type:Dropper
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:8.219 Bytes
MD5 checksum:84f9161a7580ca8ae571c41230eaa77d
VDF version:6.31.1.134

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: W32.Esbot.B
   •  Mcafee: W32/Sdbot.worm.gen.by
   •  Kaspersky: Backdoor.Win32.IRCBot.ex
   •  TrendMicro: WORM_ESBOT.C
   •  F-Secure: W32/Ircbot.S
   •  Bitdefender: Win32.Worm.EsBot.B


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Downloads malicious files
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\wpa.exe



It deletes the initially executed copy of itself.



The following files are created:

%SYSDIR%\wpa.dbl
%WINDIR%\debug\dcpromo.log



It tries to download a file:

– The location is the following:
   • http://**********.com/p5.jpg
It is saved on the local hard drive under: %temporary internet files%\p5.jpg Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\system\currentcontrolset\services\wpa]
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "DisplayName"="Windows Product Activation"
   • "ObjectName"="LocalSystem"

– [HKLM\system\currentcontrolset\enum\root\legacy_wpa]
   • "NextInstance"=dword:00000001

– [HKLM\system\currentcontrolset\enum\root\legacy_wpa\0000]
   • "Service"="wpa"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Windows Product Activation"

– [HKLM\system\currentcontrolset\enum\root\legacy_wpa\0000\Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="wpa"

– [HKLM\system\currentcontrolset\services\wpa]
   • "ImagePath"="%SYSDIR%\wpa.exe"

– [HKLM\system\currentcontrolset\services\wpa\Security]
   • "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
      00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
      00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
      05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
      20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
      00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
      00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

– [HKLM\system\currentcontrolset\services\wpa]
   • "FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
      00,01,00,00,00,00,00,00,00

– [HKLM\system\currentcontrolset\services\wpa]
   • "Description"="Windows Product Activation is an anti-piracy technology designed to verify that software products have been legitimately licensed."



The following registry keys are changed:

– [HKLM\system\controlset001\control\servicecurrent]
   Old value:
   • @=dword:%user defined settings%
   New value:
   • @=dword:0000000e

– [HKLM\software\microsoft\ole]
   Old value:
   • "EnableDCOM"="%user defined settings%"
   New value:
   • "EnableDCOM"="n"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploit:
– MS05-039 (Vulnerability in Plug and Play)


IP address generation:
It creates random IP addresses and tries to establish a connection with them.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: 68.194.76.**********
Port: 18067
Channel: #p4
Nickname: p4-%random character string%
Password: u79duhhk


– Furthermore it has the ability to perform actions such as:
    • Download file
    • Execute file

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Sergiu Oprea on Monday, August 22, 2005
Description updated by Sergiu Oprea on Tuesday, August 30, 2005

Back . . . .