Virus:Worm/Akbot.22568.B
Date discovered:06/10/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:22.568 Bytes
MD5 checksum:67871e358250326e2d5abc669516dfe9
VDF version:6.36.00.80
IVDF version:6.36.00.96 - Thursday, October 12, 2006

 General Method of propagation:
   • Local network


Aliases:
   •  Kaspersky: Backdoor.Win32.Akbot.j
   •  TrendMicro: BKDR_AKBOT.AS
   •  F-Secure: Backdoor.Win32.Akbot.j
   •  Sophos: W32/Akbot-AG


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to security websites
   • Drops a file
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\ltssvc.dll



The following file is created:

%TEMPDIR%\uninstall.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ltssvc"="rundll32.exe %SYSDIR%\ltssvc.dll,start"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploits:
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains is effectively blocked:
   • www.symantec.com; securityresponse.symantec.com; symantec.com;
      www.sophos.com; sophos.com; www.mcafee.com; mcafee.com;
      liveupdate.symantecliveupdate.com; www.viruslist.com; viruslist.com;
      viruslist.com; f-secure.com; www.f-secure.com; kaspersky.com;
      kaspersky-labs.com; www.kaspersky.com; www.networkassociates.com;
      networkassociates.com; www.ca.com; ca.com; mast.mcafee.com;
      my-etrust.com; www.my-etrust.com; download.mcafee.com;
      dispatch.mcafee.com; secure.nai.com; nai.com; www.nai.com;
      update.symantec.com; updates.symantec.com; us.mcafee.com;
      liveupdate.symantec.com; customer.symantec.com; rads.mcafee.com;
      trendmicro.com; pandasoftware.com; www.pandasoftware.com;
      www.trendmicro.com; www.grisoft.com; www.microsoft.com; microsoft.com;
      update.microsoft.com; www.virustotal.com; virustotal.com;
      www.ahnlab.com; suc.ahnlab.com; auth.ahnlab.com; ahnlab.com




The modified host file will look like this:


 Backdoor Contact server:
The following:
   • http://net.phatnet.**********

As a result it may send information and remote control could be provided.

Sends information about:
    • CPU speed
    • Current user
    • Free memory
    • IP address


Remote control capabilities:
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS UDP flood

 Miscellaneous Mutex:
It creates the following Mutex:
   • lite.3

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Petite

Description inserted by Adriana Popa on Tuesday, November 7, 2006
Description updated by Adriana Popa on Tuesday, November 7, 2006

Back . . . .