Virus:Worm/Mocbot.A
Date discovered:17/03/2006
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:7.846 Bytes
MD5 checksum:996c9c3a01c9567915212332fe5c1264
VDF version:6.34.00.64

 General Method of propagation:
   • Local network


Aliases:
   •  Mcafee: IRC-Mocbot
   •  Kaspersky: Backdoor.Win32.Mocbot.a
   •  TrendMicro: WORM_MOCBOT.A
   •  Sophos: W32/Cuebot-G
   •  Bitdefender: Backdoor.Mocbot.A

It was previously detected as:
   •  BDS/Mocbot.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Makes use of software vulnerability

 Files It copies itself to the following location:
   • %SYSDIR%\wudpcom.exe



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to load the service after reboot:

– HKLM\SYSTEM\CurrentControlSet\Services\wudpcom
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"=%SYSDIR%\wudpcom.exe
   • "DisplayName"="Windows UDP Communication"
   • "ObjectName"="LocalSystem"
   • "FailureActions"=%hex values%
   • "Description"="Provides communication between clients and servers over UDP. If this service is stopped, UDP communication between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depend on it will fail to st"



The following registry keys are changed:

– HKLM\SOFTWARE\Microsoft\Ole
   Old value:
   • "EnableDCOM"=%user defined settings%
   New value:
   • "EnableDCOM"="n"

– HKLM\SYSTEM\CurrentControlSet\Control\Lsa
   Old value:
   • "restrictanonymous"=%user defined settings%
   New value:
   • "restrictanonymous"=dword:00000001

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploit:
– MS05-039 (Vulnerability in Plug and Play)

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: bbjj.house**********
Port: 18067
Channel: #p7
Nickname: p7-%eight-digit random character string%
Password: nsja5rqf

Server: ypgw.wall**********
Port: 18067
Channel: #p7
Nickname: p7-%eight-digit random character string%
Password: nsja5rqf


– Furthermore it has the ability to perform actions such as:
    • Launch DDoS SYN flood
    • Launch DDoS TCP flood
    • Launch DDoS UDP flood
    • Download file
    • Execute file
    • Start spreading routine

 Miscellaneous Mutex:
It creates the following Mutex:
   • wudpcom

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • MEW

Description inserted by Irina Boldea on Monday, February 27, 2006
Description updated by Irina Boldea on Monday, March 20, 2006

Back . . . .