Virus:Worm/IRCBot.EW
Date discovered:23/08/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:8.204 Bytes
MD5 checksum:d5f5c6768beea05a6c0d72ecb69d27d1
VDF version:6.31.1.166

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: W32.Esbot.A
   •  Mcafee: W32/IRCbot.worm.gen
   •  Kaspersky: Backdoor.Win32.IRCBot.ew
   •  F-Secure: W32/Ircbot.T
   •  Bitdefender: Backdoor.Ircbot.EW


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\mousemm.exe



It deletes the initially executed copy of itself.



The following file is created:

%WINDIR%\debug\dcpromo.log

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\mousemm]
   • "Type"=dword:00000110
     "Start"=dword:00000002
     "ErrorControl"=dword:00000000
     "ImagePath"=%user defined settings%
     "DisplayName"="Mouse Movement Monitor"
     "ObjectName"="LocalSystem"
     "FailureActions"=%user defined settings%
     "Description"="Enables a computer to maintain synchronization with a PS/2 pointing device. Stopping or disabling this service will result in system instability."

– [HKLM\SYSTEM\CurrentControlSet\Services\mousemm\Security]
   • "Security"=%user defined settings%
     

– [HKLM\SYSTEM\CurrentControlSet\Services\mousemm\Enum]
   • "0"="Root\\LEGACY_MOUSEMM\\0000"
     "Count"=dword:00000001
     "NextInstance"=dword:00000001



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Ole]
   Old value:
   • "EnableDCOM"=%user defined settings%
   New value:
   • "EnableDCOM"="n"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • "restrictanonymous"=%user defined settings%
   New value:
   • "restrictanonymous"=dword:00000001

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploit:
– MS05-039 (Vulnerability in Plug and Play)

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: **********.is-a-fag.net
Port: 18067
Channel: #p1
Nickname: p1-%eight-digit random character string%
Password: 8mfpdofw

Server: **********.legi0n.net
Port: 18067
Channel: #p1
Nickname: p1-%eight-digit random character string%
Password: 8mfpdofw


– Furthermore it has the ability to perform actions such as:
    • Launch DDoS SYN flood
    • Launch DDoS UDP flood
    • Download file
    • Execute file
    • Kill process
    • Perform DDoS attack
    • Perform network scan
    • Start spreading routine
    • Terminate process

 Backdoor The following port is opened:

%executed file% on TCP port 30722 in order to provide backdoor capabilities.

 Injection – It injects itself into a process.

    Process name:
   • explorer.exe

   If the malware fails, it continues running as a process.

 Miscellaneous Mutex:
It creates the following Mutex:
   • mousemm

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • MEW 11

Description inserted by Razvan Olteanu on Thursday, September 1, 2005
Description updated by Razvan Olteanu on Thursday, September 1, 2005

Back . . . .