Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/WootBot.A.11
Date discovered:14/06/2011
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:143.360 Bytes
MD5 checksum:4a46dd2a35db76ccc74959774894328a
VDF version:7.11.09.168 - Tuesday, June 14, 2011
IVDF version:7.11.09.168 - Tuesday, June 14, 2011

 General Method of propagation:
   • Local network


Aliases:
   •  Kaspersky: Backdoor.Win32.Wootbot.gq
   •  Sophos: Troj/Agent-STW
   •  Microsoft: Worm:Win32/Wootbot
   •  Eset: Win32/Dorkbot.C
   •  DrWeb: Trojan.MulDrop2.33786


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Third party control
   • Drops a file
   • Drops a malicious file
   • Lowers security settings
   • Records keystrokes
   • Registry modification
   • Steals information
   • Makes use of software vulnerability

 Files It copies itself to the following location:
   • %SYSDIR%\svchots.exe



The following files are created:

– Non malicious file:
   • %HOME%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-%random
      numbers%
\%hex values%

%TEMPDIR%\BIAH61abh284h1e.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Small.anwd

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "windows updatess"="svchots.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   • "windows updatess"="svchots.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "windows updatess"="svchots.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   • "windows updatess"="svchots.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "windows updatess"="svchots.exe"



The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\System Administrattor]
   • "Type"=dword:00000014
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"="%SYSDIR%\svchots.exe -netsvcs"
   • "Display Name"="windows updates"
   • "Object Name"="LocalSystem"
   • "Delete Flag"=dword:00000001

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
– MS04-011 (LSASS Vulnerability)


IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: remove.do**********es.com
Port: 13001
Channel: .ser
Nickname: xixcyz
Password: hs



– This malware has the ability to collect and send information such as:
    • CPU speed
    • Free memory
    • Malware uptime
    • Size of memory
    • Username
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Disable network shares
    • disconnect from IRC server
    • Download file
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Perform network scan
    • Perform port redirection
    • Register a service
    • Restart system
    • Send emails
    • Shut down system
    • Start keylog
    • Start spreading routine
    • Updates itself

 Stealing It tries to steal the following information:
– Windows Product ID

– The following CD keys:
   • SOFTWARE\Electronic Arts\EA GAMES\Battlefield 1942\ergc;
      SOFTWARE\Electronic Arts\EA GAMES\Battlefield 1942 Secret Weapons of
      WWII\ergc; SOFTWARE\Electronic Arts\EA GAMES\Battlefield 1942 The Road
      to Rome\ergc; SOFTWARE\Electronic Arts\EA GAMES\Battlefield
      Vietnam\ergc; SOFTWARE\Electronic Arts\EA GAMES\Black and White\ergc;
      SOFTWARE\Electronic Arts\EA GAMES\Generals\ergc; SOFTWARE\Electronic
      Arts\EA GAMES\Command and Conquer Generals Zero Hour\ergc;
      SOFTWARE\Westwood\Red Alert 2; SOFTWARE\Westwood\Tiberian Sun;
      SOFTWARE\Electronic Arts\EA GAMES\Battlefield 1942\ergc;
      SOFTWARE\Electronic Arts\EA GAMES\Battlefield 1942 Secret Weapons of
      WWII\ergc; SOFTWARE\Electronic Arts\EA GAMES\Battlefield 1942 The Road
      to Rome\ergc; SOFTWARE\Electronic Arts\EA GAMES\Battlefield
      Vietnam\ergc; SOFTWARE\Electronic Arts\EA GAMES\Black and White\ergc;
      SOFTWARE\Electronic Arts\EA GAMES\Generals\ergc; SOFTWARE\Electronic
      Arts\EA GAMES\Command and Conquer Generals Zero Hour\ergc;
      SOFTWARE\Westwood\Red Alert 2; SOFTWARE\Westwood\Tiberian Sun;
      Software\Valve\CounterStrike\Settings; SOFTWARE\Electronic Arts\EA
      Sports\FIFA 2002\ergc; SOFTWARE\Electronic Arts\EA Sports\FIFA
      2003\ergc; SOFTWARE\Electronic Arts\EA Distribution\Freedom
      Force\ergc; SOFTWARE\Electronic Arts\EA GAMES\Global Operations\ergc;
      Software\Valve\Gunman\Settings; Software\Valve\Half-Life\Settings;
      SOFTWARE\Illusion Softworks\Hidden & Dangerous 2; SOFTWARE\IGI 2
      Retail\CDKey; Software\JoWooD\InstalledGames\IG2; SOFTWARE\Electronic
      Arts\EA GAMES\James Bond 007 Nightfire\ergc; SOFTWARE\Electronic
      Arts\EA GAMES\Medal of Honor Allied Assault\ergc; SOFTWARE\Electronic
      Arts\EA GAMES\Medal of Honor Allied Assault Breakthrough\ergc;
      SOFTWARE\Electronic Arts\EA GAMES\Medal of Honor Allied Assault
      Spearhead\ergc; SOFTWARE\Electronic Arts\EA Sports\Nascar Racing
      2002\ergc; SOFTWARE\Electronic Arts\EA Sports\Nascar Racing 2003\ergc;
      SOFTWARE\Electronic Arts\EA Sports\NHL 2002\ergc; SOFTWARE\Electronic
      Arts\EA Sports\NHL 2003\ergc; SOFTWARE\Electronic Arts\EA GAMES\Need
      For Speed Hot Pursuit 2\ergc; SOFTWARE\Electronic Arts\EA GAMES\Need
      For Speed Underground\ergc; Software\BioWare\NWN\Neverwinter;
      SOFTWARE\Red Storm Entertainment\RAVENSHIELD; SOFTWARE\Electronic
      Arts\EA GAMES\Shogun Total War - Warlord Edition\ergc; Software\Silver
      Style Entertainment\Soldiers Of Anarchy\Settings;
      Software\Activision\Soldier of Fortune II - Double Helix;
      Software\Eugen Systems\The Gladiators; SOFTWARE\Unreal
      Technology\Installed Apps\UT2003; SOFTWARE\Unreal Technology\Installed
      Apps\UT2004; Software\Activision\Soldier of Fortune II - Double Helix;
      Software\Activision\Call of Duty;
      Software\Valve\CounterStrike\Settings; SOFTWARE\Electronic Arts\EA
      Sports\FIFA 2002\ergc; SOFTWARE\Electronic Arts\EA Sports\FIFA
      2003\ergc; SOFTWARE\Electronic Arts\EA Distribution\Freedom
      Force\ergc; SOFTWARE\Electronic Arts\EA GAMES\Global Operations\ergc;
      Software\Valve\Gunman\Settings; Software\Valve\Half-Life\Settings;
      SOFTWARE\Illusion Softworks\Hidden & Dangerous 2; SOFTWARE\IGI 2
      Retail\CDKey; Software\JoWooD\InstalledGames\IG2; SOFTWARE\Electronic
      Arts\EA GAMES\James Bond 007 Nightfire\ergc; SOFTWARE\Electronic
      Arts\EA GAMES\Medal of Honor Allied Assault\ergc; SOFTWARE\Electronic
      Arts\EA GAMES\Medal of Honor Allied Assault Breakthrough\ergc;
      SOFTWARE\Electronic Arts\EA GAMES\Medal of Honor Allied Assault
      Spearhead\ergc; SOFTWARE\Electronic Arts\EA Sports\Nascar Racing
      2002\ergc; SOFTWARE\Electronic Arts\EA Sports\Nascar Racing 2003\ergc;
      SOFTWARE\Electronic Arts\EA Sports\NHL 2002\ergc; SOFTWARE\Electronic
      Arts\EA Sports\NHL 2003\ergc; SOFTWARE\Electronic Arts\EA GAMES\Need
      For Speed Hot Pursuit 2\ergc; SOFTWARE\Electronic Arts\EA GAMES\Need
      For Speed Underground\ergc; Software\BioWare\NWN\Neverwinter;
      SOFTWARE\Red Storm Entertainment\RAVENSHIELD; SOFTWARE\Electronic
      Arts\EA GAMES\Shogun Total War - Warlord Edition\ergc; Software\Silver
      Style Entertainment\Soldiers Of Anarchy\Settings;
      Software\Activision\Soldier of Fortune II - Double Helix;
      Software\Eugen Systems\The Gladiators; SOFTWARE\Unreal
      Technology\Installed Apps\UT2003; SOFTWARE\Unreal Technology\Installed
      Apps\UT2004; Software\Activision\Soldier of Fortune II - Double Helix;
      Software\Activision\Call of Duty

– Passwords from the following programs:
   • Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Login
   • Software\Yahoo\Pager
   • Software\Microsoft\WAB\WAB4\Wab File Name
   • Software\Microsoft\MessengerService\ListCache\.NET Messenger Service

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Ana Maria Niculescu on Thursday, August 11, 2011
Description updated by Andrei Ivanes on Friday, August 12, 2011

Back . . . .