Worm/IRCBot.FU - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/IRCBot.FU
Date discovered:	06/09/2005
Type:	Worm
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	Yes
File size:	197.632 Bytes
MD5 checksum:	dace533a43e910fa460159247b8fb8ec
VDF version:	6.31.1.210

General Method of propagation:
   • Local network

Aliases:
   • Kaspersky: Backdoor.Win32.IRCBot.fu
   • TrendMicro: BKDR_IRCBOT.AQ
   • VirusBuster: Worm.IRCBot.DU
   • Bitdefender: Backdoor.IRCBot.FU

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

Files It drops a copy of itself using a filename from a list:
– To: %SYSDIR% Using one of the following names:
   • logon.exe
   • firewall.exe
   • algs.exe
   • explorer.exe
   • Isass.exe
   • iexplore.exe
   • spoolsvc.exe
   • winamp.exe
   • csrs.exe

It deletes the initially executed copy of itself.

The following files are created:

– %SYSDIR%\aspr_keys.ini
– %malware execution directory%\aspr_keys.ini
– %malware execution directory%\%random character string%.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

Registry One of the following values is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Logon Application"="%SYSDIR%\logon.exe"
   • "Application Layer Gateway Service"="%SYSDIR%\algs.exe"
   • "Windows Explorer"="%SYSDIR%\explorer.exe"
   • "Local Security Authority Service"="%SYSDIR%\Isass.exe"
   • "Microsoft Internet Explorer"="%SYSDIR%\iexplore.exe"
   • "Spooler SubSystem App"="%SYSDIR%\spoolsvc.exe"
   • "Winamp Agent"="%SYSDIR%\winamp.exe"
   • "Client Server Runtime Process"="%SYSDIR%\csrs.exe"
   • "Windows Network Firewall"="%SYSDIR%\firewall.exe"

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • c$\windows
   • c$\winnt
   • d$\shared
   • e$\shared
   • print$
   • IPC$
   • admin$
   • admin$\system32

It uses the following login information in order to gain access to the remote machine:

–Cached usernames and passwords.

– The following list of usernames:
   • "staff"; "teacher"; "owner"; "student"; "intranet"; "lan"; "main";
      "office"; "control"; "siemens"; "compaq"; "dell"; "cisco"; "ibm";
      "oracle"; "sql"; "data"; "access"; "database"; "domain"; "god";
      "backup"; "technical"; "mary"; "katie"; "kate"; "george"; "eric";
      "none"; "guest"; "chris"; "ian"; "neil"; "lee"; "brian"; "susan";
      "sue"; "sam"; "luke"; "peter"; "john"; "mike"; "bill"; "fred"; "joe";
      "jen"; "bob"; "wwwadmin"; "oemuser"; "user"; "homeuser"; "home";
      "internet"; "www"; "web"; "root"; "server"; "linux"; "unix";
      "computer"; "adm"; "admin"; "admins"; "administrat"; "administrateur";
      "administrador"; "administrator"

– The following list of passwords:
   • "winpass"; "blank"; "nokia"; "orainstall"; "sqlpassoainstall";
      "db1234"; "db2"; "db1"; "databasepassword"; "databasepass";
      "dbpassword"; "dbpass"; "domainpassword"; "domainpass"; "hello";
      "hell"; "love"; "money"; "slut"; "bitch"; "fuck"; "exchange";
      "loginpass"; "login"; "qwe"; "zxc"; "asd"; "qaz"; "win2000"; "winnt";
      "winxp"; "win2k"; "win98"; "windows"; "oeminstall"; "oem";
      "accounting"; "accounts"; "letmein"; "sex"; "outlook"; "mail";
      "qwerty"; "temp123"; "temp"; "null"; "default"; "changeme"; "demo";
      "test"; "2005"; "2004"; "2001"; "secret"; "payday"; "deadline";
      "work"; "1234567890"; "123456789"; "12345678"; "1234567"; "123456";
      "12345"; "1234"; "123"; "007"; "pwd"; "pass"; "pass1234"; "dba";
      "passwd"; "password"; "password1"; "abc"

Exploit:
It makes use of the following Exploit:
– MS03-007 (Unchecked Buffer in Windows Component)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS04-007 (ASN.1 Vulnerability)
– MS04-011 (LSASS Vulnerability)
– MS05-039 (Vulnerability in Plug and Play)

IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.

Infection process:
Creates a TFTP or FTP script on the compromised machine in order to download the malware to the remote location.

IRC Server: **********.149.54
Port: 5111
Channel: #sluts
Nickname: %eight-digit random character string%

– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Platform ID
    • Information about running processes
    • Size of memory
    • Username

– Furthermore it has the ability to perform actions such as:
    • Download file
    • Execute file
    • Perform DDoS attack
    • Upload file

Stealing It tries to steal the following information:

– Passwords from the following programs:
   • MSN Messenger
   • Outlook Express
   • World Of Warcraft
   • Unreal3
   • Steam
   • Conquer Online

– A logging routine is started after keystrokes are typed that match one of the following strings:
   • "irc operator"; "paypal"; "paypal.com"; "cd key"; "cd-key"; "cdkey";
      "passwort"; "auth "; "sxt "; "login "; "pw="; "pass="; "login=";
      "password="; "username="; "passwd="; "auth"; "identify"; "oper";
      "MailPass"; "pass"; "unknown"; "user"

Miscellaneous Mutex:
It creates the following Mutex:
   • 25b30ddc0bd83e53a3935a2b5608f03d44f7

String:
Furthermore it contains the following strings:
   • "rxbot_paradise"
   • "rxbot was here"

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• AS Protect 1.2

See a brief description here.

Description inserted by Catalin Jora on Tue, 06 Sep 2005 13:36 (GMT+1)
Description updated by Catalin Jora on Thu, 08 Sep 2005 11:40 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back