Worm/IRCBot.EW - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/IRCBot.EW
Date discovered:	23/08/2005
Type:	Worm
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	Yes
File size:	8.204 Bytes
MD5 checksum:	d5f5c6768beea05a6c0d72ecb69d27d1
VDF version:	6.31.1.166

General Method of propagation:
   • Local network

Aliases:
   • Symantec: W32.Esbot.A
   • Mcafee: W32/IRCbot.worm.gen
   • Kaspersky: Backdoor.Win32.IRCBot.ew
   • F-Secure: W32/Ircbot.T
   • Bitdefender: Backdoor.Ircbot.EW

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads files
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

Files It copies itself to the following location:
• %SYSDIR%\mousemm.exe

It deletes the initially executed copy of itself.

The following file is created:

– %WINDIR%\debug\dcpromo.log

Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\mousemm]
   • "Type"=dword:00000110
     "Start"=dword:00000002
     "ErrorControl"=dword:00000000
     "ImagePath"=%user defined settings%
     "DisplayName"="Mouse Movement Monitor"
     "ObjectName"="LocalSystem"
     "FailureActions"=%user defined settings%
     "Description"="Enables a computer to maintain synchronization with a PS/2 pointing device. Stopping or disabling this service will result in system instability."

– [HKLM\SYSTEM\CurrentControlSet\Services\mousemm\Security]
   • "Security"=%user defined settings%


– [HKLM\SYSTEM\CurrentControlSet\Services\mousemm\Enum]
   • "0"="Root\\LEGACY_MOUSEMM\\0000"
     "Count"=dword:00000001
     "NextInstance"=dword:00000001

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Ole]
   Old value:
   • "EnableDCOM"=%user defined settings%
   New value:
   • "EnableDCOM"="n"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • "restrictanonymous"=%user defined settings%
   New value:
   • "restrictanonymous"=dword:00000001

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

Exploit:
It makes use of the following Exploit:
– MS05-039 (Vulnerability in Plug and Play)

IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: **********.is-a-fag.net
Port: 18067
Channel: #p1
Nickname: p1-%eight-digit random character string%
Password: 8mfpdofw

Server: **********.legi0n.net
Port: 18067
Channel: #p1
Nickname: p1-%eight-digit random character string%
Password: 8mfpdofw

– Furthermore it has the ability to perform actions such as:
    • Launch DDoS SYN flood
    • Launch DDoS UDP flood
    • Download file
    • Execute file
    • Kill process
    • Perform DDoS attack
    • Perform network scan
    • Start spreading routine
    • Terminate process

Backdoor The following port is opened:

– %executed file% on TCP port 30722 in order to provide backdoor capabilities.

Injection – It injects itself into a process.

    Process name:
   • explorer.exe

   If the malware fails, it continues running as a process.

Miscellaneous Mutex:
It creates the following Mutex:
• mousemm

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• MEW 11

See a brief description here.

Description inserted by Razvan Olteanu on Thu, 01 Sep 2005 12:54 (GMT+1)
Description updated by Razvan Olteanu on Thu, 01 Sep 2005 15:33 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back