Worm/IRCBot.239616 - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/IRCBot.239616
Date discovered:	18/07/2006
Type:	Worm
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	Yes
File size:	239.616 Bytes
MD5 checksum:	7017883b7565805de4cb7d426461d89d
VDF version:	6.35.01.219
IVDF version:	6.35.01.223

General Method of propagation:
   • Local network

Aliases:
   • Kaspersky: Backdoor.Win32.Delf.atg
   • TrendMicro: BKDR_DELF.BSG
   • F-Secure: Backdoor.Win32.Delf.atg
   • Eset: Win32/Rbot
   • Bitdefender: Backdoor.Delf.TM

It was previously detected as:
   • BDS/Delf.atg.74

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a malicious file
   • Registry modification
   • Third party control

Files The following file is created:

– %SYSDIR%\%random character string%.exe Furthermore it gets executed after it was fully created. Used to hide a process.

Registry The following registry keys are continuously in an infinite loop added in order to run the processes after reboot.

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "routing"="%random character string%.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "routing"="%random character string%.exe"

The following registry key is added:

– [HKCU\Software\Microsoft\OLE]
   • "routing"="%random character string%.exe"

The following registry key is changed:

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • "restrictanonymous"=dword:00000000
   New value:
   • "restrictanonymous"=dword:00000001

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • IPC$
   • C$
   • ADMIN$

Exploit:
It makes use of the following Exploit:
– MS04-007 (ASN.1 Vulnerability)

IP address generation:
It creates random IP addresses while it keeps the first octet from its own address. Afterwards it tries to establish a connection with the created addresses.

Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.

Remote execution:
–It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function.

IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: bitchs.shitzone.**********
Port: 9899
Server password: S.T
Channel: #$ocks
Nickname: [XP]|%8-digit random character string%

– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Details about drivers
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Information about running processes
    • Size of memory
    • Username
    • Information about the Windows operating system

– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS SYN flood
    • Disable network shares
    • disconnect from IRC server
    • Enable network shares
    • Execute file
    • Kill process
    • Perform port redirection
    • Restart system
    • Send emails

Miscellaneous Mutex:
It creates the following Mutex:
• by h4ck3r..

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Adriana Popa on Thu, 07 Sep 2006 11:26 (GMT+1)
Description updated by Adriana Popa on Wed, 13 Sep 2006 11:18 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back