Virus:Worm/IRCBot.9609
CME number:482
Date discovered:13/08/2006
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:9.609 Bytes
MD5 checksum:9928A1E6601CF00D0B7826D13FB556F0
VDF version:6.35.01.85 - Sunday, August 13, 2006
IVDF version:6.35.01.85 - Sunday, August 13, 2006

 General Methods of propagation:
   • Local network
   • Messenger


Aliases:
   •  Symantec: Backdoor.IRC.Bot
   •  Mcafee: IRC-Mocbot!MS06-040
   •  Kaspersky: Backdoor.Win32.IRCBot.st
   •  TrendMicro: WORM_IRCBOT.JK
   •  F-Secure: Backdoor.Win32.IRCBot.st


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\wgareg.exe



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\wgareg]
   • Type = 110
   • Start = 2
   • ErrorControl = 0
   • ImagePath = %SYSDIR%\wgareg.exe
   • DisplayName = Windows Genuine Advantage Registration Service
   • ObjectName = LocalSystem
   • FailureActions = %hex values%
   • Description = Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.

– [HKLM\SYSTEM\CurrentControlSet\Services\wgareg\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\wgareg\Enum]
   • 0 = Root\LEGACY_WGAREG\0000
   • Count = 1
   • NextInstance = 1



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Ole]
   Old value:
   • EnableDCOM = %user defined settings%
   New value:
   • EnableDCOM = n

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • restrictanonymous = %user defined settings%
   • restrictanonymoussam = %user defined settings%
   New value:
   • restrictanonymous = 1
   • restrictanonymoussam = 1

– [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
   New value:
   • autoshareserver = 0
   • autosharewks = 0

– [HKLM\SOFTWARE\Microsoft\security center]
   Old value:
   • antivirusdisablenotify = %user defined settings%
   • antivirusoverride = %user defined settings%
   • firewalldisablenotify = %user defined settings%
   • firewalldisableoverride = %user defined settings%
   New value:
   • antivirusdisablenotify = 1
   • antivirusoverride = 1
   • firewalldisablenotify = 1
   • firewalldisableoverride = 1

Deactivate Windows Firewall:
– [HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile]
   Old value:
   • enablefirewall = %user defined settings%
   New value:
   • enablefirewall = 0

– [HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile]
   Old value:
   • enablefirewall = %user defined settings%
   New value:
   • enablefirewall = 0

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • Start = %user defined settings%
   New value:
   • Start = 4

 Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploit:
– MS06-040 (Vulnerability in Server Service)

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: bniu.house**********
Port: 18067
Channel: #n1
Nickname: n1-%random character string%
Password: nert4mp1

Server: ypgw.wall**********
Port: 18067
Channel: #n1
Nickname: n1-%random character string%
Password: nert4mp1


– Furthermore it has the ability to perform actions such as:
    • Launch DDoS SYN flood
    • Launch DDoS UDP flood
    • Download file
    • Execute file
    • Start spreading routine

 Miscellaneous Mutex:
It creates the following Mutex:
   • wgareg

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Philipp Wolf on Sunday, August 13, 2006
Description updated by Andrei Gherman on Monday, August 14, 2006

Back . . . .