Virus:BDS/VanBot.N
Date discovered:21/09/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:91.648 Bytes
MD5 checksum:559d68d3f45da4bbc74ebb8fd425ecf0
VDF version:6.36.00.42
IVDF version:6.36.00.52 - Friday, September 22, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: W32/Sdbot.worm!MS06-040
   •  Kaspersky: Backdoor.Win32.VanBot.n
   •  TrendMicro: WORM_SPYBOT.FC
   •  Sophos: W32/Spybot-MK


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\dllcache\grand.exe



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to load the service after reboot:

– HKLM\SYSTEM\CurrentControlSet\Services\Italian Grand Prix
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"="%SYSDIR%\dllcache\grand.exe"
   • "DisplayName"="Italian Grand Prix"
   • "ObjectName"="LocalSystem"
   • "FailureActions"=%hex number%
   • "Description"="Italian Grand Prix."

– HKLM\SYSTEM\CurrentControlSet\Services\Italian Grand Prix\Enum
   • "0"="Root\LEGACY_ITALIAN_GRAND_PRIX\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001



The following registry keys are changed:

Deactivate Windows Firewall:
– HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
   New value:
   • "Start"=dword:00000004

– HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
   New value:
   • "Start"=dword:00000004

– HKLM\SYSTEM\CurrentControlSet\Control\Lsa
   New value:
   • "restrictanonymous"=dword:00000001
   • "lmcompatibilitylevel"=dword:00000001

– HKLM\SOFTWARE\Microsoft\Ole
   New value:
   • "EnableDCOM"="N"

 Network Infection It uses the following login information in order to gain access to the remote machine:

– A list of usernames and passwords:
   • www; windows; web; visitor; test2; test1; test; temp; telnet; ruler;
      remote; real; random; qwerty; public; pub; private; poiuytre;
      password; passwd; pass; oracle; one; nopass; nobody; nick; newpass;
      new; network; monitor; money; manager; mail; login; internet; install;
      hello; guest; free; demo; default; debug; database; crew; computer;
      coffee; bin; beta; backup; backdoor; anonymous; anon; alpha; adm;
      access; abc123; abc; system; sys; super; sql; shit; shadow; setup;
      security; secure; secret; 123456789; 12345678; 1234567; 123456; 12345;
      1234; 123; 00000000; 0000000; 000000; 00000; 0000; 000; server;
      asdfgh; admin; root



Exploit:
It makes use of the following Exploits:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS03-007 (Unchecked Buffer in Windows Component)
– MS06-040 (Vulnerability in Server Service)


Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: grand.hottest.**********
Port: 4915
Channel: #.vam.#
Nickname: [0]USA|%operating system%[P]%number%
Password: vnc


– Furthermore it has the ability to perform actions such as:
    • Download file
    • Join IRC channel
    • Open remote shell
    • Perform network scan
    • Start keylog
    • Start spreading routine
    • Updates itself

 Process termination Processes with one of the following strings are terminated:
   • Ad-aware; spyware; hijack; kav; proc; norton; mcafee; f-pro; lockdown;
      firewall; blackice; avg; vsmon; zonea; spybot; nod32; reged; avp;
      troja; viru; anti

Processes containing one of the following window titles are terminated:
   • Ad-aware; spyware; hijack; kav; proc; norton; mcafee; f-pro; lockdown;
      firewall; blackice; avg; vsmon; zonea; spybot; nod32; reged; avp;
      troja; viru; anti


 Backdoor The following port is opened:

%SYSDIR%\dllcache\grand.exe on a random TCP port in order to provide an FTP server.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Ionut Slaveanu on Tuesday, September 26, 2006
Description updated by Andrei Ivanes on Friday, October 20, 2006

Back . . . .