BDS/VanBot.S.1 - Backdoor Server

See also

Summary

Full description

Statistics

Virus:	BDS/VanBot.S.1
Date discovered:	26/09/2006
Type:	Backdoor Server
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	Yes
File size:	73.216 Bytes
MD5 checksum:	0444ebc4f529043cd9eecdae744af545
VDF version:	6.36.00.60
IVDF version:	6.36.00.73 - Mon, 02 Oct 2006 16:11 (GMT+1)

General Method of propagation:
   • Local network

Aliases:
   • Mcafee: W32/Sdbot.worm!73216
   • Kaspersky: Backdoor.Win32.VanBot.s
   • TrendMicro: WORM_SPYBOT.JQ
   • Sophos: W32/Sdbot-CRU
   • VirusBuster: trojan Backdoor.VanBot.K

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a file
   • Drops a file
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

Files It copies itself to the following location:
• %SYSDIR%\winlogin.exe

It tries to download a file:

– The location is the following:
• http://dl1.debelizombi.com/**********
It is saved on the local hard drive under: %TEMPDIR%\dl%seven-digit random character string%.exe

Registry The following registry keys are added in order to run the processes after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Windows Logon"="%SYSDIR%\winlogin.exe"

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "Windows Logon"="%SYSDIR%\winlogin.exe"

The following registry key is changed:

– HKLM\SOFTWARE\Microsoft\Ole
   Old value:
   • "EnableDCOM"="Y"
   New value:
   • "EnableDCOM"="N"

Network Infection Exploit:
It makes use of the following Exploits:
– MS03-026 (Buffer Overrun in RPC Interface)
–MS06-040 (Vulnerability in Server Service)

IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: ircc.debelizombi**********
Port: 8008
Channel: #!v20!

– This malware has the ability to collect and send information such as:
    • Malware uptime
    • Information about running processes
    • Information about the Windows operating system

– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Execute file
    • Join IRC channel
    • Kill process
    • Leave IRC channel
    • Open remote shell
    • Perform DDoS attack
    • Perform network scan

Miscellaneous Mutex:
It creates the following Mutex:
• rxRizzo_v2.0

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• Morphine

See a brief description here.

Description inserted by Bogdan Iliuta on Wed, 11 Oct 2006 11:14 (GMT+1)
Description updated by Bogdan Iliuta on Fri, 27 Oct 2006 15:01 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back