Virus:Worm/Aimbot.158720
Date discovered:08/09/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:158.720 Bytes
MD5 checksum:82B7C1BCD80C7B8D07DF6B1D005EBEB1
VDF version:6.31.01.134

 General Method of propagation:
   • Local network


Aliases:
   •  Mcafee: W32/Spybot.worm.gen.o
   •  Kaspersky: Trojan.Win32.Pakes
   •  TrendMicro: WORM_AGOBOT.AVX
   •  Bitdefender: Trojan.Pakes.Y


Platforms / OS:
   • Windows NT
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Makes use of software vulnerability
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\Internet.exe



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Micrcoft Updat"="Internet.exe"



The following registry key is added:

– [HKCU\Software\Microsoft\OLE]
   • "Micrcoft Updat"="Internet.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "Micrcoft Updat"="Internet.exe"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • IPC$
   • ADMIN$
   • C$


Exploit:
It makes use of the following Exploits:
– MS03-026 (Buffer Overrun in RPC Interface)
– MS04-011 (LSASS Vulnerability)


IP address generation:
It creates random IP addresses while it keeps the first octet from its own address. Afterwards it tries to establish a connection with the created addresses.


Infection process:
Creates a TFTP script on the compromised machine in order to download the malware to the remote location.


Slow down:
– It creates the following number of infection threads: 300
– Depending on your bandwidth there might be a slight fall in your network speed. As the network activity for this malware is low you might not notice it at all.
– You might also note a slight slow down due to the multiple network threads created.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: fuckrx.**********end.net
Port: 2001
Channel: #MoTjWeL# moting
Nickname: [%random character string%]|%five-digit random character string%



– This malware has the ability to collect and send information such as:
    • Capture screen
    • Capture shot from webcam
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Size of memory
    • System directory
    • Username
    • Windows directory


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS TCP flood
    • Launch DDoS UDP flood
    • Join IRC channel
    • Leave IRC channel
    • Perform network scan

 Backdoor The following ports are opened:

%SYSDIR%\Internet.exe on a random TCP port in order to provide an FTP server.
%SYSDIR%\Internet.exe on UDP port 69 in order to provide a TFTP server.

 Stealing It tries to steal the following information:
– Windows Product ID

– The following CD keys:
   • Neverwinter Nights (Hordes of the Underdark); Neverwinter Nights
      (Shadows of Undrentide); Neverwinter Nights"; Soldier of Fortune II -
      Double Helix; Hidden & Dangerous 2; Chrome; NOX; Command and Conquer:
      Red Alert 2; Command and Conquer: Tiberian Sun; Rainbow Six III
      RavenShield; Nascar Racing 2003; Nascar Racing 2002; NHL 2003; NHL
      2002; FIFA 2003; FIFA 2002; Shogun: Total War: Warlord Edition; Need
      For Speed: Underground; Need For Speed Hot Pursuit 2; Medal of Honor:
      Allied Assault: Spearhead; Medal of Honor: Allied Assault:
      Breakthrough; Medal of Honor: Allied Assault; Command and Conquer:
      Generals; James Bond 007: Nightfire; Command and Conquer: Generals
      (Zero Hour); Black and White; Battlefield Vietnam; Battlefield 1942
      (Secret Weapons of WWII); Battlefield 1942 (Road To Rome); Battlefield
      1942; Freedom Force; IGI 2: Covert Strike; Unreal Tournament 2004;
      Unreal Tournament 2003; Soldiers Of Anarchy; Legends of Might and
      Magic; Industry Giant 2; Half-Life; Gunman Chronicles; The Gladiators;
      Counter-Strike (Retail)

– It uses a network sniffer that checks for the following strings:
   • : auth; : login; :!auth; :!hashin; :!login; :!secure; :!syn; :$auth;
      :$hashin; :$login; :$syn; :%auth; :%hashin; :%login; :%syn; :&auth;
      :&login; : auth; : login; :,auth; :,login; :.auth; :.hashin; :.login;
      :.secure; :.syn; :/auth; :/login; :?auth; :?login; :@auth; :@login;
      :\auth; :\login; :~auth; :~login; :+auth; :+login; :=auth; :=login;
      :'auth; :-auth; :'login; :-login; paypal; PAYPAL; paypal.com;
      PAYPAL.COM

 Miscellaneous Mutex:
It creates the following Mutex:
   • [MoTjWeL]

Description inserted by Dragos Tomescu on Thursday, September 8, 2005
Description updated by Oliver Auerbach on Thursday, April 13, 2006

Back . . . .