Worm/Botsie - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/Botsie
Date discovered:	30/05/2007
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Medium to high
Damage Potential:	Medium
Static file:	Yes
File size:	499.712 Bytes
MD5 checksum:	c44df8425589705fcd32694a3a7a77ac
IVDF version:	6.38.01.204 - Wed, 30 May 2007 08:41 (GMT+1)

General Methods of propagation:
   • Local network
   • Messenger

Aliases:
   • Mcafee: W32/Sdbot.worm.gen.ca
   • Kaspersky: Backdoor.Win32.VanBot.da
   • F-Secure: Backdoor.Win32.VanBot.da
   • Sophos: W32/Vanebot-AT
   • Panda: W32/IRCbot.AUU.worm
   • Grisoft: IRC/BackDoor.SdBot3.BJA
   • Eset: Win32/IRCBot.UG

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

Files It copies itself to the following location:
• %SYSDIR%\dllcache\winsntp.exe

It deletes the initially executed copy of itself.

Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\
   Memorex Network Analysis Tool]
   • Type = 110
   • Start = 2
   • ErrorControl = 0
   • ImagePath = %SYSDIR%\dllcache\winsntp.exe
   • DisplayName = Memorex Network Analysis Tool
   • ObjectName = LocalSystem
   • FailureActions = %hex values%
   • Description = Memorex Network tool is a TCP analysis tool.

– [HKLM\SYSTEM\CurrentControlSet\Services\
   Memorex Network Analysis Tool\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\
   Memorex Network Analysis Tool\Enum]
   • 0 = Root\LEGACY_MEMOREX_NETWORK_ANALYSIS_TOOL\0000
   • Count = 1
   • NextInstance = 1

Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger
– ICQ Messenger
– MSN Messenger
– Yahoo Messenger

To:
All entries in the contact list.

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It uses the following login information in order to gain access to the remote machine:

– A list of usernames and passwords:
   • www; windows; web; visitor; test2; test1; test; temp; telnet; ruler;
      remote; real; random; qwerty; public; pub; private; poiuytre;
      password; passwd; pass; oracle; one; nopass; nobody; nick; newpass;
      new; network; monitor; money; manager; mail; login; internet; install;
      hello; guest; free; demo; default; debug; database; crew; computer;
      coffee; bin; beta; backup; backdoor; anonymous; anon; alpha; adm;
      access; abc123; abc; system; sys; super; sql; shit; shadow; setup;
      security; secure; secret; 123456789; 12345678; 1234567; 123456; 12345;
      1234; 123; 00000000; 0000000; 000000; 00000; 0000; 000; server;
      asdfgh; admin; root

Exploit:
It makes use of the following Exploits:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS04-007 (ASN.1 Vulnerability)
–MS06-040 (Vulnerability in Server Service)

Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.

IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: 66.64.36.**********
Port: 4904
Channel: #net#
Nickname: 0]USA|%Windows version%[P]%several random numbers from 0 to 9%

– This malware has the ability to collect and send information such as:
    • Cached passwords
    • CPU speed
    • Current user
    • Details about drivers
    • Free disk space
    • Free memory
    • Malware uptime
    • Size of memory
    • Username
    • Information about the Windows operating system

– Furthermore it has the ability to perform actions such as:
    • Launch DDoS SYN flood
    • Download file
    • Execute file
    • Perform network scan
    • Start keylog
    • Start spreading routine
    • Terminate malware
    • Terminate process

Process termination Processes with one of the following strings are terminated:
   • Ad-aware; spyware; hijack; kav; proc; norton; mcafee; f-pro; lockdown;
      firewall; blackice; avg; vsmon; zonea; spybot; nod32; reged; avp;
      troja; viru; anti

List of services that are disabled:
   • Norton AntiVirus Auto Protect Service
   • Mcshield
   • Panda Antivirus

Backdoor The following ports are opened:

– %SYSDIR%\dllcache\winsntp.exe on a random TCP port in order to provide an FTP server.
– %SYSDIR%\dllcache\winsntp.exe on a random TCP port in order to provide a Socks 4 proxy server.

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• Themida

See a brief description here.

Description inserted by Andrei Gherman on Wed, 24 Oct 2007 15:39 (GMT+1)
Description updated by Andrei Gherman on Wed, 24 Oct 2007 15:44 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back