Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:08/09/2009
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:572.416 Bytes
MD5 checksum:04f3c35e4a1b14da97b04e40e1c9a3ed
IVDF version:

 General Methods of propagation:
   • Autorun feature
   • Local network
   • Messenger

   •  Mcafee: W32/Spybot.worm
   •  Sophos: Troj/IrcBot-AGG
   •  Panda: W32/AInfBot.B.worm
   •  Eset: Win32/AutoRun.IRCBot.BY
   •  Bitdefender: Trojan.Generic.2504499

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following locations:
   • %SYSDIR%\wbem\wmisvapp.exe
   • %drive%\DRIVE\CACHE-20194029\drvsys32.exe

It overwrites a file.

It deletes the initially executed copy of itself.

The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\WMISVAP]
   • "Description"="Allocates memory for WMI applications. This service cannot be stopped."
   • "DisplayName"="WMI Service APP"
   • "ErrorControl"=dword:0x00000000
   • "FailureActions"=hex:0A,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,B8,0B,00,00
   • "ImagePath"=""%SYSDIR%\wbem\wmisvapp.exe""
   • "ObjectName"="LocalSystem"
   • "Start"=dword:0x00000002
   • "Type"=dword:0x00000110

The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "FirewallOverride"=dword:0x00000001

– [HKLM\SOFTWARE\Policies\Microsoft\MRT]
   • "DontReportInfectionInformation"=dword:0x00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   • "DisableConfig"=dword:0x00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
   • "DoNotAllowXPSP2"=dword:0x00000001

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Ole]
   New value:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Control]
   New value:
   • "WaitToKillServiceTimeout"="7000"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions]
   New value:
   • "GON"="%executed file%"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   New value:
   • "CheckedValue"=dword:0x00000001

Deactivate Windows XP Firewall:
Lower security settings from Internet Explorer:
Disable Regedit and Task Manager:
Internet Explorer's start page:
Time format:
Various Explorer settings:
– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   New value:
   • "Start"=dword:0x00000004

 Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger
– MSN Messenger

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It makes use of the following Exploits:
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)

IP address generation:
It creates random IP addresses while it keeps the first octet from its own address. Afterwards it tries to establish a connection with the created addresses.

Remote execution:
–It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: centre.a-yo**********.info
Port: 5213
Server password: 3v1l$
Channel: #sploit
Nickname: [00|USA|XP|%number%]

Server: spazm.a-yo**********.info

Server: coax.a-yo**********.info

Server: euro.b-yo**********.info

Server: com0.b-yo**********.info

Server: ptr.b-yo**********.info

Server: mech.c-yo**********.info

Server: det0x.c-yo**********.info

Server: sex.c-yo**********.info

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains is effectively blocked:
   •;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; vil.nail.comm;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.

Hides the following:
– Its own process

Method used:
    • Hidden from Windows API

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, March 12, 2010
Description updated by Petre Galan on Monday, March 15, 2010

Back . . . .