Virus:Worm/IRCBot.68708
Date discovered:06/12/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:68.708 Bytes
MD5 checksum:cc24c96767cdc5dc77c4b5ae363f2b56
VDF version:6.32.01.11

 General Method of propagation:
   • Peer to Peer


Aliases:
   •  TrendMicro: WORM_RBOT.DGR
   •  VirusBuster: virus Worm.SdBot.BPX


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to security websites
   • Disable security applications
   • Drops a malicious file
   • Lowers security settings
   • Records keystrokes
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\taskdrv32.exe



The following files are created:

%system drive root%\owned.txt This is a non malicious text file with the following content:
   • SD Bot pwned u!

%system drive root%\lsass.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Agent.UT

 Registry It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FIREWALLPOLICY\standardprofile\authorizedapplications\List]
   • "%SYSDIR%\taskdrv32.exe"="%SYSDIR%\taskdrv32.exe:*:Enabled:Windows
      Taskbar Driver (32-bits)"



The following registry keys are changed:

– [HKCR\exefile\shell\open\command]
   Old value:
   • @=%user defined settings%
   New value:
   • @="taskdrv32.exe \"%1\" %*"

Deactivate Windows Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • "restrictanonymous"=%user defined settings%
   New value:
   • "restrictanonymous"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Ole]
   Old value:
   • "EnableDCOM"=%user defined settings%
   New value:
   • "EnableDCOM"="Y"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  


It searches for the following directories:
   • %system drive root%\My Downloads
   • %system drive root%\My Shared Folder
   • %PROGRAM FILES%\eDonkey2000\incoming
   • %PROGRAM FILES%\LimeWire\Shared

   It retrieves shared folders by querying the following registry keys:
   • HKCU\SOFTWARE\KAZAA\LocalContent
   • HKCU\SOFTWARE\KAZAA\LocalContent\DonwloadDir
   • HKLM\SOFTWARE\Morpheus
   • HKLM\SOFTWARE\iMesh\Client
   • HKLM\SOFTWARE\iMesh\Client\DownloadsLocation

   If successful, the following files are created:
   • ZoneAlarm crack (keygen).exe; Yahoo_mail_cracker.exe;
      yahoo_hacker.exe; yahoo_cracker.exe; UniVersal GSM unlocker for
      removing simlock (NOKIA,ERICSSON,SONY,SAMSUNG,OTHERS).exe; psx2 -
      playstation 2 emulator.exe; porn_account_hacker.exe; toon boom.exe;
      porn_account_cracker.exe; porn.exe; Norton antivirus crack.exe; Norton
      AntiVirus 2006 crack.exe; Norton AntiVirus 2005 crack.exe; norton anti
      virus FULL NEWEST VERSION.exe; Microsoft Office Professional Universal
      Crack without serial.exe; Microsoft Office Universal Activator
      v1.0.exe; Microsoft Office Professional Serial.exe; Microsoft Office
      Professional Crack.exe; Microsoft Office Activation Crack.exe; IP
      Changer.exe; Hotmailhacker v1.0.exe; hotmail_account_sniffer.exe;
      Hotmail hacker.exe; Hotmail account hacker in 30 minutes.exe; Google
      hack tutorial for beginners.exe; flash 8.exe; Free SMS Bomber.exe;
      Fifa 2007 FULL with crack.exe; Fifa 2006 FULL with crack.exe; credit
      card generator.exe; Counter strike - cs full version.exe; Counter
      strike keygen WORKING FOR ONLINE STEAM.exe; BEST HACK TOOL FOR REAL
      HACKERS KEYLOGGER WEBCAM SPY! - PRIVATE.exe; Autocad 2006 Crack.exe;
      Autocad 2005 Crack.exe; Autocad 2004 Crack.exe; Autocad 2002
      Crack.exe; Adobe Photoshop CS 2.exe; Adobe InDesign CS 2.exe; Adobe
      keygen for photoshop indesign incopy SERIAL crack.exe; 2pac - tupac
      full album battle before his dead.exe; 2 Find MP3 8.2.0.exe

   These files are copies of the malware itself.

 Network Infection It uses the following login information in order to gain access to the remote machine:

– A list of usernames and passwords:
   • 000000; 007; 123; 1234; 12345; 123456; 1234567; 12345678; 123456789;
      1234567890; 2000; 2001; 2002; 2003; 2004; access; accounting;
      accounts; adm; admin; administrador; administrat; administrateur;
      administrator; admins; asd; backup; bill; bitch; blank; bob; brian;
      changeme; chris; cisco; compaq; control; data; database; databasepass;
      databasepassword; db1; db1234; db2; dbpass; dbpassword; default; dell;
      demo; domain; domainpass; domainpassword; eric; exchange; fred; fuck;
      george; god; guest; hell; hello; home; homeuser; ian; ibm; internet;
      intranet; jen; joe; john; kate; katie; lan; lee; linux; login;
      loginpass; luke; mail; main; mary; mike; neil; nokia; none; null; oem;
      oeminstall; oemuser; office; oracle; orainstall; outlook; pass;
      pass1234; passwd; password; password1; peter; pwd; qaz; qwe; qwerty;
      root; sam; server; sex; siemens; slut; sql; sqlpassoainstall; staff;
      student; sue; susan; system; teacher; technical; test; unix; user;
      web; win2000; win2k; win98; windows; winnt; winpass; winxp; www; zxc



Exploit:
It makes use of the following Exploits:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS04-007 (ASN.1 Vulnerability)


Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.


Remote execution:
–It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: unixirc.bl**********.tc
Port: 6666
Channel: #sd-pwnage
Nickname: [F][USA]-%five-digit random character string%
Password: owned



– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Free memory
    • Malware uptime
    • Information about the network
    • Platform ID
    • Size of memory
    • Username
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS SYN flood
    • Disable DCOM
    • Disable network shares
    • disconnect from IRC server
    • Download file
    • Enable DCOM
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Open remote shell
    • Start keylog
    • Start spreading routine
    • Updates itself
    • Visit a website

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains are redirected to other destinations:
   • avp.com; ca.com; customer.symantec.com; dispatch.mcafee.com;
      download.mcafee.com; downloads1.kaspersky-labs.com;
      downloads2.kaspersky-labs.com; downloads3.kaspersky-labs.com;
      downloads4.kaspersky-labs.com; downloads-eu1.kaspersky-labs.com;
      downloads-eu2.kaspersky-labs.com; downloads-eu3.kaspersky-labs.com;
      downloads-eu4.kaspersky-labs.com; downloads-us1.kaspersky-labs.com;
      downloads-us2.kaspersky-labs.com; downloads-us3.kaspersky-labs.com;
      downloads-us4.kaspersky-labs.com; f-secure.com; ftp.avp.com;
      ftp.ca.com; ftp.customer.symantec.com; ftp.dispatch.mcafee.com;
      ftp.download.mcafee.com; ftp.downloads1.kaspersky-labs.com;
      ftp.downloads2.kaspersky-labs.com; ftp.downloads3.kaspersky-labs.com;
      ftp.downloads4.kaspersky-labs.com;
      ftp.downloads-eu1.kaspersky-labs.com;
      ftp.downloads-eu2.kaspersky-labs.com;
      ftp.downloads-eu3.kaspersky-labs.com;
      ftp.downloads-eu4.kaspersky-labs.com;
      ftp.downloads-us1.kaspersky-labs.com;
      ftp.downloads-us2.kaspersky-labs.com;
      ftp.downloads-us3.kaspersky-labs.com;
      ftp.downloads-us4.kaspersky-labs.com; ftp.f-secure.com;
      ftp.grisoft.com; ftp.kaspersky.com; ftp.kaspersky-labs.com;
      ftp.liveupdate.symantec.com; ftp.liveupdate.symantecliveupdate.com;
      ftp.mast.mcafee.com; ftp.mcafee.com; ftp.my-etrust.com; ftp.nai.com;
      ftp.networkassociates.com; ftp.norton.com; ftp.rads.mcafee.com;
      ftp.sandbox.norman.com; ftp.secure.nai.com;
      ftp.securityresponse.symantec.com; ftp.sophos.com; ftp.symantec.com;
      ftp.symantecliveupdate.com; ftp.symatec.com; ftp.trendmicro.com;
      ftp.uk.trendmicro-europe.com; ftp.update.symantec.com;
      ftp.updates.symantec.com; ftp.updates1.kaspersky-labs.com;
      ftp.updates2.kaspersky-labs.com; ftp.updates3.kaspersky-labs.com;
      ftp.updates4.kaspersky-labs.com; ftp.us.mcafee.com;
      ftp.viruslist.comgrisoft.com; kaspersky.com; kaspersky-labs.com;
      liveupdate.symantec.com; liveupdate.symantecliveupdate.com;
      mast.mcafee.com; mcafee.commy-etrust.com; nai.com;
      networkassociates.com; norton.com; pandasoftware.com; rads.mcafee.com;
      sandbox.norman.com; secure.nai.com; securityresponse.symantec.com;
      sophos.com; symantec.com; symantecliveupdate.com; symatec.com2;
      trendmicro.com; uk.trendmicro-europe.com; update.symantec.com;
      updates.symantec.com; updates1.kaspersky-labs.com;
      updates2.kaspersky-labs.com; updates3.kaspersky-labs.com;
      updates4.kaspersky-labs.com; us.mcafee.com; viruslist.com;
      virusscan.jotti.org; virustotal.com; www.avp.com; www.ca.com;
      www.customer.symantec.com; www.dispatch.mcafee.com;
      www.download.mcafee.com; www.downloads1.kaspersky-labs.com;
      www.downloads2.kaspersky-labs.com; www.downloads3.kaspersky-labs.com;
      www.downloads4.kaspersky-labs.com;
      www.downloads-eu1.kaspersky-labs.com;
      www.downloads-eu2.kaspersky-labs.com;
      www.downloads-eu3.kaspersky-labs.com;
      www.downloads-eu4.kaspersky-labs.com;
      www.downloads-us1.kaspersky-labs.com;
      www.downloads-us2.kaspersky-labs.com;
      www.downloads-us3.kaspersky-labs.com;
      www.downloads-us4.kaspersky-labs.com; www.f-secure.com;
      www.grisoft.com; www.kaspersky.com; www.kaspersky-labs.com;
      www.liveupdate.symantec.com; www.liveupdate.symantecliveupdate.com;
      www.mast.mcafee.com; www.mcafee.com; www.my-etrust.com; www.nai.com;
      www.networkassociates.com; www.norton.com; www.pandasoftware.com;
      www.rads.mcafee.com; www.sandbox.norman.com; www.secure.nai.com;
      www.securityresponse.symantec.com; www.sophos.com; www.symantec.com;
      www.symantecliveupdate.com; www.symatec.com; www.trendmicro.com;
      www.uk.trendmicro-europe.com; www.update.symantec.com;
      www.updates.symantec.com; www.updates1.kaspersky-labs.com;
      www.updates2.kaspersky-labs.com; www.updates3.kaspersky-labs.com;
      www.updates4.kaspersky-labs.com; www.us.mcafee.com; www.viruslist.com;
      www.virustotal.com




The modified host file will look like this:


 Process termination List of processes that are terminated:
   • hijackthis.exe; zonalm2601.exe; procdump.exe; regedit32.exe;
      msconfig.exe; zonealarm.exe; zauinst.exe; zatutor.exe; zapro.exe;
      wyvernworksfirewall.exe; wsbgate.exe; wrctrl.exe; wradmin.exe;
      wqkmm3878.exe; wnt.exe; winsfcm.exe; winroute.exe; winrecon.exe;
      wimmun32.exe; whoswatchingme.exe; wgfe95.exe; wfindv32.exe;
      webtrap.exe; webscanx.exe; watchdog.exe; w9x.exe; vswinntse.exe;
      vswin9xe.exe; vsstat.exe; vsmon.exe; vsmain.exe; vshwin32vbcmserv.exe;
      vshwin32.exe; vsecomr.exe; vsched.exe; vscan40.exe; vptray.exe;
      vpfw30s.exe; vpc32.exe; vnpc3000.exe; vnlan300.exe;
      virusmdpersonalfirewall.exe; virus.exe; vettray.exe; vet95.exe;
      vet32.exe; vcontrol.exe; vccmserv.exe; vbwinntw.exe; vbwin9x.exe;
      vbust.exe; vbcons.exe; vbcmserv.exe; update.exe; undoboot.exe;
      truevector.exe; trojantrap3.exe; trjscan.exe; trendmicro.exe;
      titaninxp.exe; titanin.exe; tgbob.exe; tfak5.exe; tfak.exe; tctca.exe;
      tcm.exe; tca.exe; tc.exe; tbscan.exe; tauscan.exe; taumon.exe;
      taskmon.exe; sysedit.exe; symtray.exe; symproxysvc.exe; symlcsvc.exe;
      symantec.exe; swnetsup.exe; sweepsrv.sysvshwin32.exe;
      sweepsrv.sys.exe; sweepnet.exe; sweep95.exe; supporter5.exe;
      supp95.exe; supftrl.exe; st2.exe; ss3edit.exe; srwatch.exe; spyxx.exe;
      spyx.exe; spygate.exe; spy.exe; sphinx.exe; spf.exe; sophosav.exe;
      sophos_av.exe; sophos.exe; sofi.exe; smc.exe; shn.exe;
      sharedaccess.exe; sh.exe; sfc.exe; serv95.exe; sens.exe; sd.exe;
      scrscan.exe; scanpm.exe; scan95.exe; scan32.exe; scan.exe;
      sbservice.exe; sbserv.exe; savscan.exe; safeweb.exe; rulaunch.exe;
      rtvscn95.exe; rshell.exe; rrguard.exe; rescue.exe; regrun2.exe;
      realmon.exe; rav7win.exe; rav7.exe; rav.exe; qconsole.exe; pw32.exe;
      pview95.exe; purge.exe; pspf.exe; protectx.exe; proport.exe;
      programauditor.exe; procexplorerv10; .exe; processmonitor.exe;
      ppvstop.exe; pptbc.exe; ppinupdt.exe; portmonitor.exe;
      portdetective.exe; poproxy.exe; pop3trap.exe; platin.exe;
      pingscan.exe; pfwadmin.exe; pf2.exe; persfw.exe; periscope.exe;
      pcscan.exe; pcfwallicon.exe; pccwin98.exe; pccwin97.exe; pccntmon.exe;
      pcciomon.exe; pccguide.exe; pccclient.exe; pavw.exe; pavsched.exe;
      pavproxy.exe; pavcl.exe; pav.exe; panixk.exe; pandaav.exe; panda.exe;
      padmin.exe; outpost.exe; ostronet.exe; opscan.exe; offguard.exe;
      nwtool16.exe; nwservice.exe; nvsvc32.exe; nvc95.exe; nvarch16.exe;
      nupgrade.exe; nui.exe; ntxconfig.exe; ntvdm.exe; ntrtscan.exe;
      nsplugin.exe; nschednt.exe; nsched32.exe; nresq32.exe; npssvc.exe;
      npscheck.exe; nprotect.exe; npfw32.exe; npfw.exe; npfmessenger.exe;
      notstart.exe; nortonav.exe; norton_av.exe; norton.exe; normist.exe;
      normanav.exe; norman32.exe; norman_av.exe; norman_32.exe; norman.exe;
      nod32.exe; nmain.exe; nisumnisservnisum.exe; nisum.exe; nisserv.exe;
      nimda.exe; netutils].exe; netutils.exe; netstat.exe; netscanpro.exe;
      netprotect.exe; netpro.exe; netmon.exe; netinfo.exe; netcommando.exe;
      netarmor.exe; net2000.exe; neowatchlog.exe; neomonitor.exe; ndd32.exe;
      nc2000.exe; navwnt.exe; navw32.exe; navstub.exe; navrunr.exe;
      navnt.exe; navlu32.exe; navengnavex15.exe; navdx.exe; navapw32.exe;
      navapsvc.exe; navap.exe; navalert.exe; nav32.exe; nav.exe;
      n32scanw.exe; mxtask.exe; mwatch.exe; msinfo32.exe; mrflux.exe;
      mpftray.exe; mpfservice.exe; moolive.exe; monsysnt.exe; monsys32.exe;
      monitor.exe; mon.exe; minilog.exe; mgui.exe; mghtml.exe; mgavrte.exe;
      mgavrtcl.exe; mcvsshld.exe; mcvsrte.exe; mcupdate.exe; mctool.exe;
      mcshieldvvstat.exe; mcshield.exe; mcmnhdlr.exe; mcagent.exe;
      mcafee.exe; luspt.exe; lucomserver.exe; luall.exe; lookout.exe;
      lockdown2000.exe; lockdown.exe; localnet.exe; ldscan.exe;
      ldpromenu.exe; ldnetmon.exe; kavsvc.exe; kav.exe; kavpf.exe; jedi.exe;
      jammer.exe; isrv95.exe; iris.exe; iparmor.exe; iomon98.exe;
      inoculateit.exe; ifw2000.exe; iface.exe; icsuppnt.exe; icsupp95.exe;
      icmon.exe; icloadnt.exe; icload95.exe; ibmavsp.exe; ibmasn.exe;
      iamstats.exe; iamserv.exe; iamapp.exe; hh.exe; hackereliminator.exe;
      guarddog.exe; guard.exe; grief3878.exe; generics.exe; gedit.exe;
      gbpoll.exe; gbmenu.exe; fwenc.exe; fsmb32.exe; fsma32.exe; fsm32.exe;
      fsgk32.exe; fsave32.exe; fsav95.exe; fsav32.exe; fsaa.exe; frw.exe;
      fprot.exe; fnrb32.exe; flowprotector.exe; fix-it.exe; firewall.exe;
      findviru.exe; fih32.exe; fch32.exe; fast.exe; fameh32.exe; expert.exe;
      evpn.exe; etrustcipe.exe; espwatch.exe; escanv95.exe; escanhnt.exe;
      escanh95.exe; esafe.exe; efpeadm.exe; edisk.exe; ecengine.exe;
      dvp95_0.exe; dvp95.exe; drweb32.exe; drwatson.exe; dpf.exe; doors.exe;
      deputy.exe; defwatch.exe; defscangui.exe; defense.exe; defence.exe;
      defalert.exe; ctrl.exe; cpf9x206.exe; cpd.exe; conseal.exe;
      connectionmonitor.exe; codered.exe; cmon016.exe; cmgrdian.exe;
      cleanpc.exe; cleaner3.exe; cleaner.exe; clean.exe; claw95cf.exe;
      claw95.exe; cfinet32.exe; cfinet.exe; cfiaudit.exe; cfiadmin.exe;
      cdp.exe; ccsetmgr.exe; ccpxysvc.exe; ccpwdsrc.exe; ccimscan.exe;
      ccevtmgr.exe; ccapp.exe; bullguard.exe; bs120.exe; borg2.exe;
      bootwarn.exe; blackiceblackd.exe; blackice.exe; blackd.exe; bisp.exe;
      bipcp.exe; bidserver.exe; bidef.exe; bd_professional.exe; backlog.exe;
      avxw.exe; avxsch.exe; avxquar.exe; avxnews.exe; avxmonitornt.exe;
      avxmonitor9x.exe; avxlive.exe; avxinit.exe; avxgui.exe; avwupd32.exe;
      avwinnt.exe; avwin95.exe; avsynmgr.exe; avsched32.exe; avrescue.exe;
      avpupdates.exe; avpupd.exe; avptc32.exe; avptc.exe; avpmonitor.exe;
      avpm.exe; avpinst.exe; avpexec.exe; avpdos32.exe; avpccavpm.exe;
      avpcc.exe; avp32.exe; avp.exe; avnt.exe; avkwctl9.exe; avkwcl9.exe;
      avkservice.exe; avkserv.exe; avkpop.exe; avgw.exe;
      avgserv9schedapp.exe; avgserv9.exe; avgserv.exe; avgctrl.exe;
      avgcc32.exe; ave32.exe; avconsol.exe; autoupdate.exe; autotrace.exe;
      autodown.exe; atwatch.exe; atupdater.exe; atscan.exe; ats.exe;
      atguard.exe; atcon.exe; apvxdwin.exe; aplica32.exe; apimonitor.exe;
      antssircam.exe; ants.exe; antivirus.exe; antivir.exe; amonavp32.exe;
      amon9x.exe; amon.exe; alogserv.exe; alertsvc.exe; ahnsd.exe; agv.exe;
      agentsvr.exe; advxdwin.exe; ackwin32.exe; _avpm.exe; _avpcc.exe;
      _avp32.exe


List of services that are disabled:
   • Automatic Updates
   • Security Center

 Stealing It tries to steal the following information:

– The following CD keys:
   • Battlefield 1942; Battlefield 1942 (Road To Rome); Battlefield 1942
      (Secret Weapons of WWII); Battlefield Vietnam; Black and White;
      Command & Conquer Generals; Command and Conquer: Generals (Zero Hour);
      Command and Conquer: Red Alert 2; Command and Conquer: Tiberian Sun;
      Counter-Strike (Retail); Chrome; FIFA 2002; FIFA 2003; FIFA 2004; FIFA
      2005; FIFA 2006; FIFA 2007; Freedom Force; Global Operations; Gunman
      Chronicles; Half-Life; Hidden & Dangerous 2; IGI 2: Covert Strike;
      Industry Giant 2; James Bond 007: Nightfire; Legends of Might and
      Magic; Medal of Honor: Allied Assault; Medal of Honor: Allied Assault:
      Breakthrough; Medal of Honor: Allied Assault: Spearhead; Nascar Racing
      2002; Nascar Racing 2003; Nascar Racing 2004; Nascar Racing 2005;
      Nascar Racing 2006; Nascar Racing 2007; Need For Speed Hot Pursuit 2;
      Need For Speed: Underground; Neverwinter Nights; Neverwinter Nights
      (Hordes of the Underdark); Neverwinter Nights (Shadows of Undrentide);
      NHL 2003; NHL 2004; NHL 2005; NHL 2006; NHL 2007; NHL 2002; NOX;
      Rainbow Six III RavenShield; Shogun: Total War: Warlord Edition;
      Soldier of Fortune II - Double Helix; Soldiers Of Anarchy; The
      Gladiators; Unreal Tournament 2003; Unreal Tournament 2004

– Passwords from the following programs:
   • MSN Messenger
   • AIM Messenger
   • Yahoo Messenger

– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • e-gold
   • PayPal
   • StormPay
   • WorldPay

 Miscellaneous Mutex:
It creates the following Mutex:
   • SD-Bot


String:
Furthermore it contains the following strings:
   • #ftp-pwnage
   • #sd-key
   • #sd-msn
   • #creditcards

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Daniel Constantin on Thursday, December 15, 2005
Description updated by Daniel Constantin on Tuesday, December 27, 2005

Back . . . .