Virus:BDS/VanBot.S.1
Date discovered:26/09/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:73.216 Bytes
MD5 checksum:0444ebc4f529043cd9eecdae744af545
VDF version:6.36.00.60
IVDF version:6.36.00.73 - Monday, October 2, 2006

 General Method of propagation:
   • Local network


Aliases:
   •  Mcafee: W32/Sdbot.worm!73216
   •  Kaspersky: Backdoor.Win32.VanBot.s
   •  TrendMicro: WORM_SPYBOT.JQ
   •  Sophos: W32/Sdbot-CRU
   •  VirusBuster: trojan Backdoor.VanBot.K


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Drops a file
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\winlogin.exe




It tries to download a file:

– The location is the following:
   • http://dl1.debelizombi.com/**********
It is saved on the local hard drive under: %TEMPDIR%\dl%seven-digit random character string%.exe

 Registry The following registry keys are added in order to run the processes after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Windows Logon"="%SYSDIR%\winlogin.exe"

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "Windows Logon"="%SYSDIR%\winlogin.exe"



The following registry key is changed:

– HKLM\SOFTWARE\Microsoft\Ole
   Old value:
   • "EnableDCOM"="Y"
   New value:
   • "EnableDCOM"="N"

 Network Infection Exploit:
It makes use of the following Exploits:
– MS03-026 (Buffer Overrun in RPC Interface)
– MS06-040 (Vulnerability in Server Service)

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: ircc.debelizombi**********
Port: 8008
Channel: #!v20!



– This malware has the ability to collect and send information such as:
    • Malware uptime
    • Information about running processes
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Execute file
    • Join IRC channel
    • Kill process
    • Leave IRC channel
    • Open remote shell
    • Perform DDoS attack
    • Perform network scan

 Miscellaneous Mutex:
It creates the following Mutex:
   • rxRizzo_v2.0

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Morphine

Description inserted by Bogdan Iliuta on Wednesday, October 11, 2006
Description updated by Bogdan Iliuta on Friday, October 27, 2006

Back . . . .