Full description

Virus:	Worm/Codbot.AP
Date discovered:	29/08/2005
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	Yes
File size:	19.968 Bytes
MD5 checksum:	c34b5ec44017814cb4b9718855267984
VDF version:	6.31.01.192

General Method of propagation:
   • Local network

Aliases:
   • Kaspersky: Backdoor.Win32.Codbot.ap
   • TrendMicro: WORM_SDBOT.CDI
   • Sophos: W32/Codbot-W
   • VirusBuster: Worm.Codbot.AI
   • Eset: Win32/Codbot
   • Bitdefender: Backdoor.Codbot.BJ

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Records keystrokes
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

Files It copies itself to the following location:
• %SYSDIR%\Perfhmon.exe

Registry The following registry keys are added in order to load the service after reboot:

– HKLM\SYSTEM\CurrentControlSet\Services\MAPI
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"=%SYSDIR%\Perfhmon.exe
   • "DisplayName"="Performance Logs"
   • "ObjectName"="LocalSystem"
   • "FailureActions"=%hex values%
   • "Description"="Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert."

The following registry keys are added:

– HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Perfhmon
   • @="Service"

– HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Perfhmon
   • @="Service"

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

Exploit:
It makes use of the following Exploits:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS03-007 (Unchecked Buffer in Windows Component)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS04-011 (LSASS Vulnerability)
– VX05-006 (Remote Heap Overflow when using the VERITAS Backup Exec Admin Plus Pack Option)

Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.

Remote execution:
–It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function.

IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: 0x80.martian**********
Port: 6556
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0xff.mem**********
Port: 6556
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.online-**********
Port: 6556
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.going**********
Port: 6556
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.my**********
Port: 6556
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.my-**********
Port: 6556
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.martian**********
Port: 1023
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0xff.mem**********
Port: 1023
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.online-**********
Port: 1023
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.going**********
Port: 1023
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.my**********
Port: 1023
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

Server: 0x80.my-**********
Port: 1023
Channel: #21#
Nickname: %random character string%
Password: g3t0u7

– This malware has the ability to collect and send information such as:
    • Cached passwords
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Information about running processes
    • Size of memory
    • Information about the Windows operating system

– Furthermore it has the ability to perform actions such as:
    • Download file
    • Execute file
    • Kill process
    • Open remote shell
    • Perform network scan
    • Start spreading routine
    • Terminate malware

Backdoor The following ports are opened:

– %SYSDIR%\mapi32.exe on a random TCP port in order to provide an FTP server.
– %SYSDIR%\mapi32.exe on UDP port 69 in order to provide a TFTP server.

Stealing     • Keystrokes

– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • e-gold
   • egold
   • bank
   • e-bay
   • ebay
   • paypal

Miscellaneous Mutex:
It creates the following Mutex:
• xPerFHmoNx

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• MEW

Description inserted by Irina Boldea on Tuesday, March 14, 2006
Description updated by Irina Boldea on Wednesday, March 15, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools