Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Codbot.AP
Date discovered:29/08/2005
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:19.968 Bytes
MD5 checksum:c34b5ec44017814cb4b9718855267984
VDF version:6.31.01.192

 General Method of propagation:
   • Local network


Aliases:
   •  Kaspersky: Backdoor.Win32.Codbot.ap
   •  TrendMicro: WORM_SDBOT.CDI
   •  Sophos: W32/Codbot-W
   •  VirusBuster: Worm.Codbot.AI
   •  Eset: Win32/Codbot
   •  Bitdefender: Backdoor.Codbot.BJ


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Records keystrokes
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\Perfhmon.exe

 Registry The following registry keys are added in order to load the service after reboot:

HKLM\SYSTEM\CurrentControlSet\Services\MAPI
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"=%SYSDIR%\Perfhmon.exe
   • "DisplayName"="Performance Logs"
   • "ObjectName"="LocalSystem"
   • "FailureActions"=%hex values%
   • "Description"="Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert."



The following registry keys are added:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Perfhmon
   • @="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Perfhmon
   • @="Service"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploits:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS03-007 (Unchecked Buffer in Windows Component)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS04-011 (LSASS Vulnerability)
 VX05-006 (Remote Heap Overflow when using the VERITAS Backup Exec Admin Plus Pack Option)


Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.


Remote execution:
It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: 0x80.martian**********
Port: 6556
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0xff.mem**********
Port: 6556
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.online-**********
Port: 6556
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.going**********
Port: 6556
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.my**********
Port: 6556
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.my-**********
Port: 6556
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.martian**********
Port: 1023
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0xff.mem**********
Port: 1023
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.online-**********
Port: 1023
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.going**********
Port: 1023
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.my**********
Port: 1023
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.my-**********
Port: 1023
Channel: #21#
Nickname: %random character string%
Password: g3t0u7



 This malware has the ability to collect and send information such as:
    • Cached passwords
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Information about running processes
    • Size of memory
    • Information about the Windows operating system


 Furthermore it has the ability to perform actions such as:
    • Download file
    • Execute file
    • Kill process
    • Open remote shell
     Perform network scan
     Start spreading routine
    • Terminate malware

 Backdoor The following ports are opened:

%SYSDIR%\mapi32.exe on a random TCP port in order to provide an FTP server.
%SYSDIR%\mapi32.exe on UDP port 69 in order to provide a TFTP server.

 Stealing      Keystrokes

A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • e-gold
   • egold
   • bank
   • e-bay
   • ebay
   • paypal

 Miscellaneous Mutex:
It creates the following Mutex:
   • xPerFHmoNx

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • MEW

Description inserted by Irina Boldea on Tuesday, March 14, 2006
Description updated by Irina Boldea on Wednesday, March 15, 2006

Back . . . .