Virus:Worm/IRCBot.GT
Date discovered:20/09/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:174.080 Bytes
MD5 checksum:0AC7EE395802E4B3D25D6755E7F2C9D2
VDF version:6.32.0.17

 General Method of propagation:
   • Local network


Alias:
   •  Kaspersky: Backdoor.Win32.IRCBot.gt


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\sys32.pif



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Windows System Security"="sys32.pif"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "Windows System Security"="sys32.pif"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Windows System Security"="sys32.pif"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
   • "Windows System Security"="sys32.pif"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Ole]
   • "Windows System Security"="sys32.pif"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   • "Windows System Security"="sys32.pif"

– [HKCU\Software\Microsoft\OLE]
   • "Windows System Security"="sys32.pif"

– [HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
   • "Windows System Security"="sys32.pif"

– [HKCR\.key]
   • @="regfile"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • D:\
   • C:\
   • ADMIN$
   • IPC$


Exploit:
It makes use of the following Exploits:
– MS03-026 (Buffer Overrun in RPC Interface)
– MS03-049 (Buffer Overrun in the Workstation Service)
– MS04-007 (ASN.1 Vulnerability)
– MS05-039 (Vulnerability in Plug and Play)


IP address generation:
It creates random IP addresses while it keeps the first octet from its own address. Afterwards it tries to establish a connection with the created addresses.


Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.


Slow down:
–It creates multiple infection threads.
– Depending on your bandwidth there might be a slight fall in your network speed. As the network activity for this malware is low you might not notice it at all.
– Due to the multiple network threads created, an infected computer turns into a slow and barely usable machine.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: win32.**********.updates32.biz
Port: 65528
Server password: gringle
Channel: #wtfz#
Nickname: %random character string%
Password: shabby123

Server: win32.**********.security32.biz
Port: 4654
Server password: gringle
Channel: #wtfz#
Nickname: %random character string%
Password: shabby123

Server: win32.**********.security32.biz
Port: 4564
Server password: gringle
Channel: #wtfz#
Nickname: %random character string%
Password: shabby123

Server: win32.**********.updates32.biz
Port: 65529
Server password: gringle
Channel: #wtfz#
Nickname: %random character string%
Password: shabby123



– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Information about running processes
    • Size of memory
    • System directory
    • Username
    • Windows directory


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS TCP flood
    • Launch DDoS UDP flood
    • Disable DCOM
    • Disable network shares
    • Download file
    • Edit registry
    • Enable DCOM
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Kill process
    • Leave IRC channel
    • Open remote shell
    • Perform DDoS attack
    • Perform network scan
    • Start keylog
    • Terminate process
    • Updates itself
    • Upload file

 Miscellaneous Mutex:
It creates the following Mutex:
   • sizxlss

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • ASProtect 1.2x

Description inserted by Andrei Gherman on Tuesday, September 20, 2005
Description updated by Andrei Gherman on Thursday, September 22, 2005

Back . . . .