Virus:Worm/IRCBot.EX
Date discovered:19/08/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:8.275 Bytes
MD5 checksum:38b3ca593642abdf5a1cfe9183040ca6
VDF version:6.31.1.150

 General Method of propagation:
   • Local network


Alias:
   •  Kaspersky: Backdoor.Win32.IRCBot.ex


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\ssl.exe



It deletes the initially executed copy of itself.



The following file is created:

%WINDIR%\debug\dcpromo.log

 Registry The following registry keys are added in order to load the services after reboot:

– HKLM\system\currentcontrolset\services\ssl
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "DisplayName"="Microsoft SSL"
   • "ObjectName"="LocalSystem"
   • "Description"="Provides communication security between clients and servers over TCP. If this service is stopped, TCP security between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depend on it will fail to"

– HKLM\system\currentcontrolset\services\ssl\Enum
   • "0"="Root\\LEGACY_SSL\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– HKLM\system\currentcontrolset\enum\root\legacy_ssl
   • "NextInstance"=dword:00000001

– HKLM\system\currentcontrolset\enum\root\legacy_ssl\0000
   • "Service"="ssl"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Microsoft SSL"

– HKLM\system\currentcontrolset\enum\root\legacy_ssl\0000\Control
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="ssl"

– HKLM\system\currentcontrolset\services\ssl
   • "ImagePath"= %WINDIR%\ssl.exe

– HKLM\system\currentcontrolset\services\ssl
   • "FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,74,00,20,\
      00,01,00,00,00,00,00,00,00

– HKLM\system\currentcontrolset\services\ssl\Security
   • "Security"=%WINDIR%\ssl.exe



The following registry keys are changed:

– HKLM\system\controlset001\control\servicecurrent
   Old value:
   • @=dword:%user defined settings%
   New value:
   • @=dword:0000000e

– HKLM\software\microsoft\ole
   Old value:
   • "EnableDCOM"="%user defined settings%"
   New value:
   • "EnableDCOM"="n"

– HKLM\system\currentcontrolset\control\lsa
   Old value:
   • "restrictanonymous"=dword:%user defined settings%
   New value:
   • "restrictanonymous"=dword:00000001

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploit:
– MS04-011 (LSASS Vulnerability)


IP address generation:
It creates random IP addresses and tries to establish a connection with them.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: **********.wallloan.com
Port: 18067
Channel: #p5
Nickname: p5-<%random character string%>
Password: wolnqjnr


– Furthermore it has the ability to perform actions such as:
    • Download file
    • Execute file
    • Perform DDoS attack
    • Perform network scan
    • Updates itself

Description inserted by Sergiu Oprea on Friday, August 26, 2005
Description updated by Sergiu Oprea on Tuesday, August 30, 2005

Back . . . .