Virus:Worm/IRCBot.9374
CME number:762
Date discovered:13/08/2006
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:9.374 Bytes
MD5 checksum:2BF2A4F0BDAC42F4D6F8A062A7206797
VDF version:6.35.01.85 - Sunday, August 13, 2006
IVDF version:6.35.01.85 - Sunday, August 13, 2006

 General Method of propagation:
   • Local network
   • Messenger


Aliases:
   •  Symantec: Backdoor.IRC.Bot
   •  Mcafee: IRC-Mocbot!MS06-040
   •  Kaspersky: Backdoor.Win32.IRCBot.st
   •  TrendMicro: WORM_IRCBOT.JK
   •  F-Secure: Backdoor.Win32.IRCBot.st
   •  Bitdefender: Backdoor.IRCBot.ST


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\wgavm.exe



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\wgavm]
   • Type = 110
   • Start = 2
   • ErrorControl = 0
   • ImagePath = %SYSDIR%\wgavm.exe
   • DisplayName = Windows Genuine Advantage Validation Monitor
   • ObjectName = LocalSystem
   • FailureActions = %hex values%
   • Description = Ensures that your copy of Microsoft Windows is genuine. Stopping or disabling this service will result in system instability.

– [HKLM\SYSTEM\CurrentControlSet\Services\wgavm\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\wgavm\Enum]
   • 0 = Root\LEGACY_WGAVM\0000
   • Count = 1
   • NextInstance = 1



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Ole]
   Old value:
   • EnableDCOM = %user defined settings%
   New value:
   • EnableDCOM = n

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • restrictanonymous = %user defined settings%
   • restrictanonymoussam = %user defined settings%
   New value:
   • restrictanonymous = 1
   • restrictanonymoussam = 1

– [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
   New value:
   • autoshareserver = 0
   • autosharewks = 0

– [HKLM\SOFTWARE\Microsoft\security center]
   Old value:
   • antivirusdisablenotify = %user defined settings%
   • antivirusoverride = %user defined settings%
   • firewalldisablenotify = %user defined settings%
   • firewalldisableoverride = %user defined settings%
   New value:
   • antivirusdisablenotify = 1
   • antivirusoverride = 1
   • firewalldisablenotify = 1
   • firewalldisableoverride = 1

Deactivate Windows Firewall:
– [HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile]
   Old value:
   • enablefirewall = %user defined settings%
   New value:
   • enablefirewall = 0

– [HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile]
   Old value:
   • enablefirewall = %user defined settings%
   New value:
   • enablefirewall = 0

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • Start = %user defined settings%
   New value:
   • Start = 4

 Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploit:
– MS06-040 (Vulnerability in Server Service)

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: bniu.house**********
Port: 18067
Channel: #n0
Nickname: n0-%random character string%

Server: ypgw.wall**********
Port: 18067
Channel: #n0
Nickname: n0-%random character string%


– Furthermore it has the ability to perform actions such as:
    • Launch DDoS SYN flood
    • Launch DDoS UDP flood
    • Download file
    • Execute file
    • Start spreading routine

 Miscellaneous Mutex:
It creates the following Mutex:
   • wgavm

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Philipp Wolf on Sunday, August 13, 2006
Description updated by Andrei Gherman on Monday, August 14, 2006

Back . . . .