Worm/RBo.20480.12.A - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/RBo.20480.12.A
Date discovered:	05/05/2008
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	Yes
File size:	20.480 Bytes
MD5 checksum:	0A9b70150A5b4de8895b459776580Dc6
VDF version:	7.0.04.017
IVDF version:	7.0.04.018

General Method of propagation:
   • No own spreading routine

Alias:
   • Kaspersky: Trojan.Win32.Mondera.gen

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Downloads a file
   • Registry modification
   • Third party control

Files It copies itself to the following location:
• %SYSDIR%\msninbox.exe

It deletes the initially executed copy of itself.

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
• MSN Messenger Inbox Loader="msninbox.exe"

IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: nagasaki.japancorporation.**********
Port: 9103
Server password: su1c1d3
Channel: #net
Nickname: \00\USA\%10 digit random character string%
Password: n3t!

– This malware has the ability to collect and send information such as:
    • Platform ID
    • Information about the Windows operating system

– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Download file
    • Edit registry
    • Execute file
    • Leave IRC channel
    • Visit a website

Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains is effectively blocked:
   • 127.0.0.1 jayloden.com; 127.0.0.1 www.jayloden.com;
      127.0.0.1 www.spywareinfo.com; 127.0.0.1 spywareinfo.com;
      127.0.0.1 www.spybot.info; 127.0.0.1 spybot.info;
      127.0.0.1 kaspersky.com; 127.0.0.1 kaspersky-labs.com;
      127.0.0.1 www.kaspersky.com; 127.0.0.1 www.majorgeeks.com;
      127.0.0.1 majorgeeks.com; 127.0.0.1 securityresponse.symantec.com;
      127.0.0.1 symantec.com; 127.0.0.1 www.symantec.com;
      127.0.0.1 updates.symantec.com;
      127.0.0.1 liveupdate.symantecliveupdate.com;
      127.0.0.1 liveupdate.symantec.com; 127.0.0.1 customer.symantec.com;
      127.0.0.1 update.symantec.com; 127.0.0.1 www.sophos.com;
      127.0.0.1 sophos.com; 127.0.0.1 www.virustotal.com;
      127.0.0.1 virustotal.com; 127.0.0.1 www.mcafee.com;
      127.0.0.1 mcafee.com; 127.0.0.1 rads.mcafee.com;
      127.0.0.1 mast.mcafee.com; 127.0.0.1 download.mcafee.com;
      127.0.0.1 dispatch.mcafee.com; 127.0.0.1 us.mcafee.com;
      127.0.0.1 www.trendsecure.com; 127.0.0.1 trendsecure.com;
      127.0.0.1 www.viruslist.com; 127.0.0.1 viruslist.com;
      127.0.0.1 www.hijackthis.de; 127.0.0.1 hijackthis.de;
      127.0.0.1 f-secure.com; 127.0.0.1 www.f-secure.com;
      127.0.0.1 Merijn.org; 127.0.0.1 www.Merijn.org; 127.0.0.1 www.avp.com;
      127.0.0.1 avp.com; 127.0.0.1 analysis.seclab.tuwien.ac.at;
      127.0.0.1 www.bleepingcomputer.com; 127.0.0.1 bleepingcomputer.com;
      127.0.0.1 trendmicro.com; 127.0.0.1 www.trendmicro.com;
      127.0.0.1 www.safer-networking.org; 127.0.0.1 safer-networking.org;
      127.0.0.1 grisoft.com; 127.0.0.1 www.grisoft.com

The modified host file will look like this:

Injection – It injects itself into a process.

Process name:
• Explorer.exe

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

See a brief description here.

Description inserted by Monica Ghitun on Thu, 07 Aug 2008 15:48 (GMT+1)
Description updated by Monica Ghitun on Thu, 07 Aug 2008 15:57 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back