Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:21/12/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:100.872 Bytes
MD5 checksum:f5b24ee909954ffccdcd2eeb8a4cd0de
VDF version:
IVDF version:

 General Methods of propagation:
   • Autorun feature
   • Messenger
   • Peer to Peer

   •  Symantec: W32.Spybot.Worm
   •  Grisoft: BackDoor.Ircbot.NPB
   •  Eset: Win32/AutoRun.IRCBot.FC
   •  DrWeb: BackDoor.IRC.Sdbot.4867

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Third party control
   • Drops files
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\wni.exe

The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Windows Services"="wni.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   • Windows Services"="wni.exe"

The following registry key is added:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   • "%malware execution directory%\sample.exe"="%malware execution directory\\sample.exe:*:Enabled:Windows Services"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  

It searches for the following directories:
   • %PROGRAM FILES%\kazaa\my shared folder\
   • %PROGRAM FILES%\kazaa lite\my shared folder\
   • %PROGRAM FILES%\kazaa lite k++\my shared folder\
   • %PROGRAM FILES%\icq\shared folder\
   • %PROGRAM FILES%\grokster\my grokster\
   • %PROGRAM FILES%\bearshare\shared\
   • %PROGRAM FILES%\edonkey2000\incoming\
   • %PROGRAM FILES%\emule\incoming\
   • %PROGRAM FILES%\morpheus\my shared folder\
   • %PROGRAM FILES%\limewire\shared\
   • %PROGRAM FILES%\tesla\files\
   • %PROGRAM FILES%\winmx\shared\

   If successful, the following files are created:
   • Windows 2003 Advanced Server KeyGen.exe; UT 2003 KeyGen.exe; Half-Life
      2 Downloader.exe; Password Cracker.exe; FTP Cracker.exe; Brutus FTP
      Cracker.exe; Hotmail Hacker.exe; Hotmail Cracker.exe; Norton
      Anti-Virus 2005 Enterprise Crack.exe; DCOM Exploit.exe; NetBIOS
      Hacker.exe; NetBIOS Cracker.exe; Windows Password Cracker.exe; L0pht
      4.0 Windows Password Cracker.exe; sdbot with NetBIOS Spread.exe; Sub7
      2.3 Private.exe; Microsoft Visual C++ KeyGen.exe; Microsoft Visual
      Basic KeyGen.exe; Microsoft Visual Studio KeyGen.exe; MSN Password
      Cracker.exe; AOL Instant Messenger (AIM) Hacker.exe; ICQ Hacker.exe;
      AOL Password Cracker.exe; Keylogger.exe; Website Hacker.exe; IP
      Nuker.exe; Counter-Strike KeyGen.exe; DivX 5.0 Pro KeyGen.exe

   These files are copies of the malware itself.

 Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger
– Windows Live Messenger
– Yahoo Messenger

All entries in the contact list.

The sent message looks like one of the following:

   • "regarder cette image"
     "Schauen Sie dieses Bild an"
     "mire este retrato"
     "Look at this picture"
     "guardare quest'immagine"
     "Seen this? :D"

Propagation via URL
It sends the following link:
   • http://www.mess**********

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: botn**********.cc
Port: 6667
Channel: #infected
Nickname: [%operating system%|%random numbers%]
Password: dkruqou

– This malware has the ability to collect and send information such as:
    • Information about the network
    • Username
    • Information about the Windows operating system

– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS ICMP flood
    • disconnect from IRC server
    • Download file
    • Join IRC channel
    • Leave IRC channel
    • Perform DDoS attack
    • Start spreading routine
    • Terminate malware
    • Terminate process
    • Updates itself
    • Visit a website

 Process termination Processes with one of the following strings are terminated:
   • dumpcap
   • SandboxStarter
   • tcpview
   • procmon
   • filemon

 Injection – It injects itself as a remote thread into a process.

    Process name:
   • explorer.exe

 Miscellaneous Mutex:
It creates the following Mutex:
   • fi3+th_ew

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Encrypted - The virus code inside the file is encrypted.

Description inserted by Ana Maria Niculescu on Wednesday, March 16, 2011
Description updated by Andrei Ivanes on Friday, March 18, 2011

Back . . . .