Virus:Worm/Spybot.65026
Date discovered:28/09/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:65.026 Bytes
MD5 checksum:f3575d48f26d83ccb39d0ecbf031cb44
VDF version:6.36.00.67
IVDF version:6.36.00.81 - Sunday, October 8, 2006

 General Methods of propagation:
   • Local network
   • Messenger


Aliases:
   •  Kaspersky: Backdoor.Win32.VanBot.x
   •  TrendMicro: WORM_VANBOT.X
   •  F-Secure: Backdoor.Win32.VanBot.x
   •  Sophos: W32/Sdbot-CRZ
   •  VirusBuster: Worm.Rbot.IEB


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Lowers security settings
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\dllcache\svhba.exe



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\
   Microsoft Windows BDA Service]
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"=""%SYSDIR%\dllcache\svhba.exe""
   • "DisplayName"="Microsoft Windows BDA Service"
   • "ObjectName"="LocalSystem"
   • "FailureActions"=%hex values%
   • "Description"="Microsoft Windows HDA Service."

– HKLM\SYSTEM\CurrentControlSet\Services\
   Microsoft Windows BDA Service\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\
   Microsoft Windows BDA Service\Enum]
   • "0"="Root\\LEGACY_MICROSOFT_WINDOWS_BDA_SERVICE\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\dllcache\svhba.exe"="%SYSDIR%\dllcache\svhba.exe:*:Enabled:Microsoft
      Windows BDA Service"



The following registry keys are changed:

Deactivate Windows Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

– [HKLM\SOFTWARE\Microsoft\Ole]
   Old value:
   • "EnableDCOM"="Y"
   New value:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • "lmcompatibilitylevel"=dword:00000000
   • "restrictanonymous"=dword:00000000
   New value:
   • "lmcompatibilitylevel"=dword:00000001
   • "restrictanonymous"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
   Old value:
   • "DoNotAllowXPSP2"=%user defined settings%
   • "DoNotAllowXPSP3"=%user defined settings%
   New value:
   • "DoNotAllowXPSP2"=dword:00000001
   • "DoNotAllowXPSP3"=dword:00000001

 Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger
– ICQ Messenger
– Windows Live Messenger
– Yahoo Messenger

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploits:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: infraredtech.**********
Port: 7007
Channel: #met
Nickname: NICK [0]USA|%operating system%[P]%six-digit random character string%


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS SYN flood
    • Perform network scan
    • Start keylog
    • Updates itself

 Process termination Processes with one of the following strings are terminated:
   • WindowsServer2003; Windows-XP; Windows-2000; Ad-aware; spyware;
      hijack; kav; proc; norton; mcafee; f-pro; lockdown; firewall;
      blackice; avg; vsmon; zonea; spybot; nod32; reged; avp; troja; viru;
      anti


List of services that are disabled:
   • wuauserv
   • Windows Firewall
   • wscsvc

 Backdoor The following ports are opened:

– svhba.exe on a random TCP port in order to provide an FTP server.
– svhba.exe on a random TCP port

 Stealing It tries to steal the following information:

– A logging routine is started after a website is visited:
   • e-gold.com/srk.asp

– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • bank
   • Bank
   • Wells Fargo
   • eBay
   • e-gold
   • iKobo
   • PayPal
   • StormPay
   • WorldPay
   • Western Union

– It captures:
    • Login information

 Miscellaneous Mutex:
It creates the following Mutex:
   • bawt


File patching:
In order to increase the number of maximum connections it has the capability to modify the tcpip.sys. It may result in a corruption of that file and break network connectivity.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Adriana Popa on Monday, November 6, 2006
Description updated by Adriana Popa on Monday, November 6, 2006

Back . . . .