Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/BodomBot.K
Date discovered:13/03/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:43.520 Bytes
MD5 checksum:5c06b1746e3114c46f509ed405bbe6dd
VDF version:6.34.00.36

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Backdoor.Win32.BodomBot.k
   •  TrendMicro: BKDR_BODOMBOT.AB


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Drops a malicious file
   • Registry modification
   • Third party control

 Files The following file is created:

%SYSDIR%\Mls32.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/BodomBot.K.1




It tries to download a file:

The location is the following:
   • http://www.geocities.com/alexl6z/**********
It is saved on the local hard drive under: %TEMPDIR%\30_7.exe Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

 Registry The following registry keys are added:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
   ShellServiceObjectDelayLoad]
   • Multi Language Support = {3CFF6C67-AA57-11da-A0C5-00E04D001D1B}

[HKCR\CLSID\{3CFF6C67-AA57-11da-A0C5-00E04D001D1B}]
   • @ = Multi Language Support

[HKCR\CLSID\{3CFF6C67-AA57-11da-A0C5-00E04D001D1B}\InProcServer32]
   • @ = %SYSDIR%\Mls32.dll
   • ThreadingModel=Apartment

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: darkvt.rr.**********
Port: 4669
Server password: USA|%operating system%|%random character string%
Channel: #xmain
Password: Normal

Server: darkvt.dynu.**********
Port: 4669
Server password: USA|%operating system%|%random character string%
Channel: #Nightwish
Password: Sadness



 This malware has the ability to collect and send information such as:
    • Cached passwords
    • Capture screen
    • Malware uptime
    • Information about running processes
    • Information about the Windows operating system


 Furthermore it has the ability to perform actions such as:
     connect to IRC server
     disconnect from IRC server
    • Download file
    • Execute file
    • Join IRC channel
    • Kill process
    • Leave IRC channel
    • Open remote shell
    • Perform DDoS attack
    • Restart system
    • Shut down system
     Updates itself

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://www.cnn.com

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PECompact

Description inserted by Andrei Gherman on Friday, March 17, 2006
Description updated by Andrei Gherman on Friday, March 17, 2006

Back . . . .