Date discovered:22/04/2009
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium to high
Static file:Yes
File size:995.328 Bytes
MD5 checksum:3911f7a8d09c467dbf3a05f73f0b8c7d
IVDF version:

 General Aliases:
   •  Mcafee: Generic Rootkit.g trojan
   •  Sophos: W32/Ircbot-AER
   •  Panda: W32/IRCBot.CKA.worm
   •  Eset: Win32/IRCBot
   •  Bitdefender: IRC-Worm.Generic.3237

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\svhost.exe

The following file is created:

%SYSDIR%\drivers\sysdrv32.sys Further investigation pointed out that this file is malware, too. Detected as: TR/Hacktool.Tcpz.A

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\MSNETDED]
   • "Description"=" intrusion detection."
   • "DisplayName"="Network Monitor service"
   • "ErrorControl"=dword:0x00000000
   • "FailureActions"=hex:0A,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,B8,0B,00,00
   • "ImagePath"=""%SYSDIR%\svhost.exe""
   • "ObjectName"="LocalSystem"
   • "Start"=dword:0x00000002
   • "Type"=dword:0x00000110

The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\sysdrv32]
   • "DisplayName"="Play Port I/O Driver"
   • "ErrorControl"=dword:0x00000001
   • "Group"="SST miniport drivers"
   • "ImagePath"="\??\%SYSDIR%\drivers\sysdrv32.sys"
   • "Start"=dword:0x00000003
   • "Type"=dword:0x00000001

The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSNETDED]
   • "@"="Service"

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSNETDED]
   • "@"="Service"

 Network Infection Exploit:
It makes use of the following Exploits:
– MS03-007 (Unchecked Buffer in Windows Component)
– MS04-045 (Vulnerability in WINS)
MS06-040 (Vulnerability in Server Service)

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: 7.j3h**********.net
Port: 57
Server password: h4xg4ng
Channel: #cunt
Nickname: [00-USA-XP-%number%]

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

説明の挿入者 Petre Galan の 2009年11月30日月曜日
説明の更新者 Petre Galan の 2009年11月30日月曜日

戻る . . . .