English
Deutsch
Francais
Español
Italian
Home
Virus Info
BDS/Aimbot.AT
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
BDS/Aimbot.AT - Backdoor Server
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
BDS/Aimbot.AT
Date discovered:
01/11/2005
Type:
Worm
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium
Static file:
Yes
File size:
184.320 Bytes
MD5 checksum:
33b5639845c459eb37100da24f9c972c
VDF version:
6.32.00.123
- Fri, 28 Oct 2005 10:52 (GMT+1)
General
Methods of propagation:
• Local network
• Mapped network drives
• Messenger
Aliases:
• Symantec: W32.Spybot.Worm
• Kaspersky: Backdoor.Win32.Aimbot.at
• TrendMicro: WORM_RBOT.CJN
• Bitdefender: Backdoor.Aimbot.AT
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows 2000
• Windows XP
Side effects:
• Registry modification
• Steals information
• Third party control
Files
It copies itself to the following location:
•
%SYSDIR%
\express.exe
Registry
The following registry keys are added in order to run the processes after reboot:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• "Outlook Mail Services"="express.exe"
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• "Outlook Mail Services"="express.
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
• "Outlook Mail Services"="express.exe"
The following registry key is added:
– HKCR\.key
• @="regfile"
Network Infection
In order to ensure its propagation the malware attemps to connect to other machines as described below.
It drops copies of itself to the following network shares:
• IPC$
• ADMIN$
• C$
• D$
It uses the following login information in order to gain access to the remote machine:
–Cached usernames and passwords.
– A list of usernames and passwords:
• 7; 123; 1234; 2000; 2001; 2002; 2003; 2004; 12345; 123456; 1234567;
12345678; 123456789; 1234567890; access; accounting; accounts; adm;
admin; administrador; administrat; administrateur; administrator;
admins; asd; backup; bill; bitch; blank; bob; brian; changeme; chris;
cisco; compaq; computer; control; data; database; databasepass;
databasepassword; db1; db1234; db2; dba; dbpass; dbpassword; default;
dell; demo; domain; domainpass; domainpassword; eric; exchange; fred;
fuck; george; god; guest; hell; hello; home; homeuser; ian; ibm;
internet; intranet; jen; joe; john; kate; katie; lan; lee; linux;
login; loginpass; luke; mail; main; mary; mike; neil; nokia; none;
null; oem; oeminstall; oemuser; office; oracle; orainstall; outlook;
owner; pass; pass1234; passwd; password1; peter; pwd; qaz; qwe;
qwerty; root; sam; server; sex; siemens; slut; sql; sqlpassoainstall;
staff; student; sue; susan; system; teacher; technical; test; unix;
user; web; win2000; win2k; win98; windows; winnt; winpass; winxp; www;
wwwadmin; zxc
IRC
To deliver system information and to provide remote control it connects to the following IRC Servers:
Server: hoe.**********.com
Channel: #sm0keh#
Nickname: USA|
%eight-digit random character string%
Server: 9515gay.**********.net
Channel: #sm0keh#
Nickname: USA|
%eight-digit random character string%
– This malware has the ability to collect and send information such as:
• Cached passwords
• Collected Email addresses
• CPU speed
• Current user
• Free disk space
• Free memory
• Malware uptime
• Information about the network
• Information about running processes
• Size of memory
• System directory
• Username
• Windows directory
• Information about the Windows operating system
– Furthermore it has the ability to perform actions such as:
• Launch DDoS ICMP flood
• Launch DDoS SYN flood
• Download file
• Execute file
• Kill process
• Open remote shell
• Perform network scan
• Start spreading routine
• Terminate process
• Updates itself
• Upload file
Miscellaneous
Mutex:
It creates the following Mutex:
• asdfss
File details
Programming language:
The malware program was written in MS Visual C++.
See a brief description
here
.
Description inserted by Irina Boldea on Tue, 01 Nov 2005 15:32 (GMT+1)
Description updated by Irina Boldea on Mon, 07 Nov 2005 15:08 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Mytob.AT
Worm/Mytob.U
TR/Crypt.CFI.Gen
Worm/Netsky.J
Worm/Mytob.AD
HEUR/PDF.Obfuscated
SPR/mIRC.Gen
TR/Crypt.UPKM.Gen
JS/Dldr.Agent.cex
TR/Dldr.Tiny.bqw
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info BDS/Aimbot.AT
Print this page
.gif)
