Worm/IRCBot.111616.2 - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/IRCBot.111616.2
Date discovered:	21/09/2006
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	Yes
File size:	111.616 Bytes
MD5 checksum:	7c5ef2a797028ab9b312b263e30Ea6e5
VDF version:	6.36.00.42
IVDF version:	6.36.00.52 - Fri, 22 Sep 2006 15:02 (GMT+1)

General Methods of propagation:
   • Local network
   • Messenger

Aliases:
   • Kaspersky: Backdoor.Win32.IRCBot.wo
   • TrendMicro: WORM_SPYBOT.EX
   • Sophos: W32/Vanebot-M

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP

Side effects:
   • Disable security applications
   • Records keystrokes
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

Files It copies itself to the following location:
• %SYSDIR%\dllcache\dragonage.exe

It deletes the initially executed copy of itself.

Registry The following registry keys are added in order to load the service after reboot:

– HKLM\SYSTEM\CurrentControlSet\Services\Dragon Age - Bioware
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"="%SYSDIR%\dllcache\dragonage.exe"
   • "DisplayName"="Dragon Age - Bioware"
   • "ObjectName"="LocalSystem"
   • "FailureActions"=%hex value%
   • "Description"="Dragon Age - Bioware."

– HKLM\SYSTEM\CurrentControlSet\Services\Dragon Age - Bioware\
   Security
   • "Security"=%hex value%

– HKLM\SYSTEM\CurrentControlSet\Services\Dragon Age - Bioware\Enum
   • "0"="Root\\LEGACY_DRAGON_AGE_-_BIOWARE\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

The following registry keys are added:

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRAGON_AGE_-_BIOWARE
   • "NextInstance"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRAGON_AGE_-_BIOWARE\
   0000
   • "Service"="Dragon Age - Bioware"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Dragon Age - Bioware"

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRAGON_AGE_-_BIOWARE\
   0000\Control
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="Dragon Age - Bioware"

The following registry keys are changed:

Deactivate Windows XP Firewall:
– HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
   Old value:
   • "Start"=0x3
   New value:
   • "Start"=0x4

– HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
   Old value:
   • "Start"=0x2
   New value:
   • "Start"=0x4

– HKLM\SYSTEM\CurrentControlSet\Control\Lsa
   Old value:
   • "lmcompatibilitylevel"=0
   New value:
   • "lmcompatibilitylevel"=1

– HKLM\SYSTEM\CurrentControlSet\Control\Lsa
   Old value:
   • "restrictanonymous"=0
   New value:
   • "restrictanonymous"=1

– HKLM\SOFTWARE\Microsoft\Ole
   Old value:
   • "EnableDCOM"="Y"
   New value:
   • "EnableDCOM"="N"

Messenger It is spreading via Messenger. The characteristics are described below:

– MSN Messenger
– Yahoo Messenger

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

Exploit:
It makes use of the following Exploits:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS04-007 (ASN.1 Vulnerability)
– MS05-039 (Vulnerability in Plug and Play)

IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: roma.hottest.**********
Port: 4615
Channel: #.roma.#
Nickname: [0]USA|%operating system%%six-digit random character string%
Password: romz

– This malware has the ability to collect and send information such as:
    • Cached passwords
    • Information about the network
    • Information about the Windows operating system

– Furthermore it has the ability to perform actions such as:
    • Launch DDoS SYN flood
    • Download file
    • Kill process
    • Open remote shell
    • Perform network scan
    • Start keylog
    • Start spreading routine
    • Terminate process
    • Updates itself

Process termination Processes containing one of the following window titles are terminated:
   • Ad-aware; spyware; hijack; norton; mcafee; f-pro; lockdown; firewall;
      blackice; vsmon; zonea; spybot; nod32; reged; troja

List of services that are disabled:
   • Norton AntiVirus Auto Protect Service
   • Mcshield
   • Panda Antivirus

Backdoor The following ports are opened:

– %SYSDIR%\dllcache\dragonage.exe on a random TCP port in order to provide an FTP server.
– %SYSDIR%\dllcache\dragonage.exe on a random TCP port

Stealing – A logging routine is started after keystrokes are typed that match one of the following strings:
   • e-gold
   • e-silver
   • e-platinum
   • e-palladium
   • e-metal
   • Better Money

– It captures:
    • Keystrokes

– A logging routine is started after a website is visited:
   • e-gold.com/srk.asp

Injection – It injects the following file into a process: %SYSDIR%\dllcache\dragonage.exe

– It injects a process watching routine into a process.

Process name:
• %SYSDIR%\services.exe

Miscellaneous Mutex:
It creates the following Mutex:
• Dragon Age
Furthermore it contains the following string:
• Communism returns

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Bogdan Iliuta on Wed, 27 Sep 2006 15:17 (GMT+1)
Description updated by Bogdan Iliuta on Fri, 20 Oct 2006 14:30 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back