Worm/IRCBot.EV.1 - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/IRCBot.EV.1
Date discovered:	24/08/2005
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Medium
Static file:	Yes
File size:	38.400 Bytes
MD5 checksum:	7551ca56b533e6ba86d3c0b2b4c8485e
VDF version:	6.31.1.158

General Methods of propagation:
   • Local network
   • Mapped network drives

Aliases:
   • Symantec: W32.IRCBot
   • Kaspersky: Backdoor.Win32.IRCBot.ev
   • TrendMicro: BKDR_IRCBOT.AS
   • Sophos: W32/Sdbot-Fam
   • VirusBuster: Worm.SdBot.BDZ
   • Bitdefender: BehavesLike:Win32.IRC-Backdoor

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

Files It copies itself to the following location:
• %SYSDIR%\WOWCRAK.EXE

Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "MEsnemd"="wowcrak.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "MEsnemd"="wowcrak.exe"

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • C$\windows\system32\
   • C$\Documents and Settings\All Users\Documents\
   • C$\shared\
   • C$\winnt\system32\
   • ADMIN$\system32\

It uses the following login information in order to gain access to the remote machine:

– The following list of passwords:
   • 123qwe123; zaqxsw; zaq123; motdepass; **********; billgate;
      billgates; fred; bill; intranet; staff; teacher; student1; student;
      user1; afro; turnip; glen; freddy; internet; lan; nokia; ctx; 666;
      qweasdzxc; zxcvbnm; 123qaz; 123qwe; qwe123; qazwsx; qweasd; zxc123;
      pass1234; pwd; pass; passwd; admin; administrador; administrateur;
      administrator

Exploit:
It makes use of the following Exploit:
– MS04-011 (LSASS Vulnerability)

IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: **********.mybizz.info
Port: 1125
Channel: #mm
Nickname: E%eight-digit random character string%

– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Enable network shares
    • Join IRC channel
    • Leave IRC channel
    • Start spreading routine

Miscellaneous Mutex:
It creates the following Mutex:
• vwevqwdw

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
• Morphine
• FSG

See a brief description here.

Description inserted by Alexandru Tudor on Thu, 25 Aug 2005 13:27 (GMT+1)
Description updated by Alexandru Tudor on Mon, 29 Aug 2005 10:01 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back