Virus:Worm/Breplibo.11246
Date discovered:18/11/2005
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:11.264 Bytes
MD5 checksum:5edd65849de66caa1fd1eba364549c3c
VDF version:6.32.00.192

 General Aliases:
   •  Symantec: Backdoor.Naninf.B
   •  Mcafee: W32/Brepibot
   •  Kaspersky: Backdoor.Win32.Breplibot.h
   •  TrendMicro: WORM_SDBOT.CQV
   •  Sophos: Troj/Bdoor-ML
   •  Bitdefender: Backdoor.Breplibot.A


Platforms / OS:
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\ssrms.exe



It deletes the initially executed copy of itself.



It deletes the following file:
   • %TEMP%\%three-digit random character string%.bat



The following file is created:

– %TEMP%\%three-digit random character string%.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry key is added:

– [HKCU\Kw~loyj}DUq{jwkw~lDOqv|wokD[mjj}vlN}jkqwvDJmv]
   • "ProtocolDiskChk"="ssrms.exe"

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: b0tz.un**********4k3r-inc.com
Port: 8080
Channel: #monument

Server: cbydon.**********ca-love.jb
Port: 8080
Channel: #monument

Server: dpe4z.fra**********i.lu
Port: 8080
Channel: #monument

Server: fmzu.garden**********.co.uk
Port: 8080
Channel: #monument

Server: jnzuy**********.personallyyours.co.uk
Port: 8080
Channel: #monument

Server: lacr2.**********brothers.ca
Port: 8080
Channel: #monument

Server: mc2s**********n-consultinq.co.uk
Port: 8080
Channel: #monument

Server: mmqk.**********lotto.com
Port: 8080
Channel: #monument

Server: nhub.c**********ers.com
Port: 8080
Channel: #monument

Server: qpb83.te**********.com
Port: 8080
Channel: #monument

Server: vtrn2.**********.com
Port: 8080
Channel: #monument

Server: xmp3.**********.net
Port: 8080
Channel: #monument

Server: luqxai.helock**********.com
Port: 8080
Channel: #monument



– This malware has the ability to collect and send the following information:
    • Malware uptime


– Furthermore it has the ability to perform actions such as:
    • Download file
    • Execute file
    • Start spreading routine

 Process termination List of processes that are terminated:
   • Ad-watch.exe; ccApp.exe; ccEvtMgr.exe; gcasDTServ.exe; gcasServ.exe;
      kpf4gui.exe; kpf4ss.exe; mcshield.exe; mcupdate.exe; mcvsrte.exe;
      mcvsshld.exe; MRT.exe; NAVW32.exe; nmain.exe; SAVSCAN.exe;
      SNDSrvc.exe; SymWSC.exe; TeaTimer.exe


 Miscellaneous Mutex:
It creates the following Mutex:
   • ssrms.exe

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Iulia Diaconescu on Friday, November 18, 2005
Description updated by Iulia Diaconescu on Friday, November 18, 2005

Back . . . .