Virus:BDS/CodBot.AT
Date discovered:13/10/2005
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:24.576 Bytes
MD5 checksum:2e8fbee76c2339e9894b628fb0dc341c
VDF version:6.32.00.09

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: W32.Toxbot
   •  TrendMicro: WORM_CODBOT.AF
   •  VirusBuster: Worm.Codbot.AJ
   •  Bitdefender: Backdoor.Codbot.AT


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP


Side effects:
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\netddesrv.exe



The following file is created:

%TEMPDIR%\destroy.cmd Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry keys are added in order to load the service after reboot:

– HKLM\SYSTEM\CurrentControlSet\Services\NetDDEsrv
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"="%SYSDIR%\netddesrv.exe"
   • "DisplayName"="NetDDE Server"
   • "ObjectName"="LocalSystem"
   • "FailureActions"=hex:05,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,65,00,72,00,01,00,00,00,01,00,00,00
   • "Description"="Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers.



The following registry keys are added:

– HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEsrv
   • @="Service"

– HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEsrv
   • @="Service"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploits:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS04-007 (ASN.1 Vulnerability)
– MS04-011 (LSASS Vulnerability)

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: 0x80.**********.org
Port: 6556
Channel: #26#
Nickname: %eight-digit random character string%
Password: g3t0u7

Server: 0x80.**********.org
Port: 1023
Channel: #26#
Nickname: %eight-digit random character string%
Password: g3t0u7

Server: 0x80.my**********.com
Port: 6556
Channel: #26#
Nickname: %eight-digit random character string%
Password: g3t0u7

Server: 0x80.my**********.com
Port: 1023
Channel: #26#
Nickname: %eight-digit random character string%
Password: g3t0u7

Server: 0x80.my-**********.name
Port: 6556
Channel: #26#
Nickname: %eight-digit random character string%
Password: g3t0u7

Server: 0x80.my-**********.name
Port: 1023
Channel: #26#
Nickname: %eight-digit random character string%
Password: g3t0u7

Server: 0xff.me**********.info
Port: 6556
Channel: #26#
Nickname: %eight-digit random character string%
Password: g3t0u7

Server: 0xff.me**********.info
Port: 1023
Channel: #26#
Nickname: %eight-digit random character string%
Password: g3t0u7

Server: 0x80.going**********.com
Port: 6556
Channel: #26#
Nickname: %six-digit random character string%
Password: g3t0u7

Server: 0x80.going**********.com
Port: 1023
Channel: #26#
Nickname: %six-digit random character string%
Password: g3t0u7

Server: 0x80.mar**********.com
Port: 6556
Channel: #26#
Nickname: %six-digit random character string%
Password: g3t0u7

Server: 0x80.mar**********.com
Port: 1023
Channel: #26#
Nickname: %six-digit random character string%
Password: g3t0u7



– This malware has the ability to collect and send information such as:
    • CPU speed
    • Free memory
    • Malware uptime
    • Size of memory
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • Execute file
    • Perform network scan
    • Register a service
    • Start keylog
    • Terminate process

 Backdoor The following ports are opened:

%SYSDIR%\netddesrv.exe on a random TCP port in order to provide an FTP server.
%SYSDIR%\netddesrv.exe on UDP port 69 in order to provide a TFTP server.
%SYSDIR%\netddesrv.exe on a random TCP port

Remote control capabilities:
    • Download file

 Stealing – It uses a network sniffer that checks for the following strings:
   • bank
   • ebay
   • e-bay
   • egold
   • e-gold
   • login
   • paypal

 Miscellaneous Mutex:
It creates the following Mutex:
   • xNeTDDEsrVx


String:
Furthermore it contains the following string:
   • god hates us all

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
   • PecBundle
   • PECompact

Description inserted by Irina Boldea on Thursday, October 13, 2005
Description updated by Irina Boldea on Friday, October 14, 2005

Back . . . .