Virus:Worm/Akbot.H.7
Date discovered:21/09/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:24.644 Bytes
MD5 checksum:ea92efdc4cda122e50758db66595e1dc
VDF version:6.36.00.42
IVDF version:6.36.00.52 - Friday, September 22, 2006

 General Method of propagation:
   • Local network


Alias:
   •  Kaspersky: Backdoor.Win32.Akbot.h


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\windirx.dl



It deletes the initially executed copy of itself.



The following file is created:

%current directory%\uninstal.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "WinDLL (windirx.dll)"="rundll32.exe %SYSDIR%\windirx.dll,start"

 Network Infection Exploit:
It makes use of the following Exploit:
– MS04-007 (ASN.1 Vulnerability)

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: s1.contentzone.**********
Port: 7755
Server password: b00ndocks
Channel: #.map
Nickname: %random character string%
Password: yellow



– This malware has the ability to collect and send information such as:
    • CPU speed
    • Free memory
    • Information about the network
    • Information about running processes
    • Size of memory
    • Username
    • Windows directory
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS UDP flood
    • disconnect from IRC server
    • Download file
    • Execute file
    • Kill process
    • Leave IRC channel
    • Open remote shell
    • Perform DDoS attack
    • Perform network scan
    • Send emails
    • Updates itself
    • Upload file

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Bogdan Iliuta on Friday, September 29, 2006

Back . . . .