Virus:Worm/IRCBot.FV
Date discovered:05/09/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:197.632 Bytes
MD5 checksum:33c887fbcd45fe82a0c8acf6a619b9a1
VDF version:6.31.1.212

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: W32.Spybot.Worm
   •  Kaspersky: Backdoor.Win32.IRCBot.fv
   •  TrendMicro: WORM_SDBOT.CDS
   •  VirusBuster: Worm.IRCBot.DW


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Records keystrokes
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

 Files It drops copies of itself using a filename from lists
– To: %SYSDIR%\ Using one of the following names:
   • isass.exe
   • iexplore.exe
   • spoolsvc.exe
   • firewall.exe
   • winIogon.exe
   • csrs.exe




It deletes the initially executed copy of itself.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Local Security Authority Service"="%SYSDIR%\Isass.exe"
   • "Microsoft Internet Explorer"="%SYSDIR%\iexplore.exe"
   • "Spooler SubSystem App"="%SYSDIR%\spoolsvc.exe"
   • "Windows Network Firewall"="%SYSDIR%\firewall.exe"
   • "Windows Logon Application"="%SYSDIR%\winIogon.exe"
   • "Client Server Runtime Process"="%SYSDIR%\csrs.exe"
   • "Winamp Agent"="%SYSDIR%\winamp.exe"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • print$
   • C$\Documents and Settings\All Users\Documents\$
   • c$\windows\system32
   • c$\shared
   • c$\winnt\system32
   • admin$
   • Admin$\system32
   • c$\windows
   • c$\winnt
   • e$\shared
   • d$\shared


It uses the following login information in order to gain access to the remote machine:

– The following list of usernames:
   • staff; teacher; owner; student; intranet; lan; main; office; control;
      siemens; compaq; dell; cisco; ibm; oracle; sql; data; access;
      database; domain; god; backup; technical; mary; katie; kate; george;
      eric; none; guest; chris; ian; neil; lee; brian; susan; sue; sam;
      luke; peter; john; mike; bill; fred; joe; jen; bob; wwwadmin; oemuser;
      user; homeuser; home; internet; www; web; root; server; linux; unix;
      computer; adm; admin; admins; administrat; administrateur;
      administrador; administrator

– The following list of passwords:
   • winpass; blank; nokia; orainstall; sqlpassoainstall; db1234; db2; db1;
      databasepassword; databasepass; dbpassword; dbpass; domainpassword;
      domainpass; hello; hell; love; money; slut; bitch; fuck; exchange;
      loginpass; login; qwe; zxc; asd; qaz; win2000; winnt; winxp; win2k;
      win98; windows; oeminstall; oem; accounting; accounts; letmein; sex;
      outlook; mail; qwerty; temp123; temp; null; default; changeme; demo;
      test; 2005; 2004; 2001; secret; payday; deadline; work; 1234567890;
      123456789; 12345678; 1234567; 123456; 12345; 1234; 123; 007; pwd;
      pass; pass1234; dba; passwd; password; password1; abc



Exploit:
It makes use of the following Exploit:
– MS04-011 (LSASS Vulnerability)


IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: b.**********loan.com
Port: 8080
Channel: #b
Nickname: %eight-digit random character string%

Server: b.**********loan.com
Port: 8080
Channel: #b
Nickname: %eight-digit random character string%



– This malware has the ability to collect and send information such as:
    • Cached passwords
    • CPU speed
    • Free disk space
    • Free memory
    • Malware uptime
    • Platform ID
    • Size of memory


– Furthermore it has the ability to perform actions such as:
    • Launch DDoS SYN flood
    • Launch DDoS TCP flood
    • Download file
    • Execute file
    • Join IRC channel
    • Kill process
    • Leave IRC channel
    • Open remote shell
    • Perform DDoS attack
    • Perform network scan
    • Send emails
    • Start spreading routine
    • Upload file
    • Visit a website

 Stealing It tries to steal the following information:

– The following CD keys:
   • World Of Warcraft
   • Unreal3
   • Conquer Online

– Passwords from the following programs:
   • FlashFXP
   • MSN Messenger
   • Hotmail
   • Outlook
   • Outlook Express

– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • paypal
   • paypal.com

– It captures:
    • Keystrokes
    • Login information

 Miscellaneous Time synchronisation:
In order to synchronize the local time it contacts NTP server on port 123:
   • pool.ntp.org


String:
Furthermore it contains the following strings:
   • rxbot_paradise
   • rxbot was here
   • rxbot

Description inserted by Razvan Olteanu on Tuesday, September 6, 2005
Description updated by Razvan Olteanu on Thursday, September 8, 2005

Back . . . .