Precisa de ajuda? Peça à comunidade ou contrate um perito.
Acesse a Avira Answers
Date discovered:20/08/2009
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:590.336 Bytes
MD5 checksum:2b5691b59afcb6382b005752fb0c1021
IVDF version:

 General Method of propagation:
• Autorun feature
   • Local network

   •  Mcafee: W32/
   •  Panda: W32/IRCBot.CRP.worm
   •  Eset: Win32/AutoRun.IRCBot.BP
   •  Bitdefender: Trojan.Generic.2307849

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %SYSDIR%\wbem\wmiclisv.exe
   • %drive%\CACHESYS\DATA-345432365\device32.exe

It overwrites a file.

It deletes the initially executed copy of itself.

The following file is created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%SYSDIR%\drivers\drvmon64.sys Further investigation pointed out that this file is malware, too. Detected as: Worm/IrcBot.11656.2

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\drvmon64]
   • "DisplayName"="System Drive Monitor"
   • "ErrorControl"=dword:0x00000001
   • "Group"="SST miniport drivers"
   • "ImagePath"="\??\%SYSDIR%\drivers\drvmon64.sys"
   • "Start"=dword:0x00000003
   • "Type"=dword:0x00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\WMICLISV]
   • "Description"="Manages WMI data for client applications."
   • "DisplayName"="WMI Client Service"
   • "ErrorControl"=dword:0x00000000
   • "FailureActions"=hex:0A,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,B8,0B,00,00
   • "ImagePath"=""%SYSDIR%\wbem\wmiclisv.exe""
   • "ObjectName"="LocalSystem"
   • "Start"=dword:0x00000002
   • "Type"=dword:0x00000110

The following registry key is added:

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   • "DisableConfig"=dword:0x00000001

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   New value:
   • "CheckedValue"=dword:0x00000001

– [HKLM\SYSTEM\CurrentControlSet\Control]
   New value:
   • "WaitToKillServiceTimeout"="7000"

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   New value:
   • "%SYSDIR%\wbem\wmiclisv.exe"="%SYSDIR%\wbem\wmiclisv.exe:*:Microsoft Enabled"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It makes use of the following Exploits:
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)

IP address generation:
It creates random IP addresses while it keeps the first octet from its own address. Afterwards it tries to establish a connection with the created addresses.

Remote execution:
–It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: euro.b-**********.info
Port: 7231
Channel: #sploit
Nickname: [00|USA|XP|%number%]
Password: sPLoiT!

Server: mech.c-**********.info
Port: 32132
Channel: #sploit
Nickname: [00|USA|XP|%number%]
Password: sPLoiT!

Server: spazm.a-**********.info
Channel: #sploit
Nickname: [00|USA|XP|%number%]
Password: sPLoiT!

Server: centre.a-**********.info
Channel: #sploit
Nickname: [00|USA|XP|%number%]
Password: sPLoiT!

Server: coax.a-**********.info
Channel: #sploit
Nickname: [00|USA|XP|%number%]
Password: sPLoiT!

Server: com0.b-**********.info
Channel: #sploit
Nickname: [00|USA|XP|%number%]
Password: sPLoiT!

Server: ptr.b-**********.info
Channel: #sploit
Nickname: [00|USA|XP|%number%]
Password: sPLoiT!

Server: det0x.c-**********.info
Channel: #sploit
Nickname: [00|USA|XP|%number%]
Password: sPLoiT!

Server: sex.c-**********.info
Channel: #sploit
Nickname: [00|USA|XP|%number%]
Password: sPLoiT!

– Furthermore it has the ability to perform actions such as:
    • Disable network shares
    • Enable network shares
    • Execute file
    • Perform network scan
    • Shut down system
    • Updates itself

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains is effectively blocked:
   •;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; vil.nail.comm;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

 Backdoor The following port is opened:

%SYSDIR%\wbem\wmiclisv.exe on TCP port 23860 in order to provide an HTTP server.

 Miscellaneous Anti debugging
It checks if one of the following files are present:
   • \\.\SICE
   • \\.\SIWVID
   • \\.\NTICE

 Rootkit Technology Hides the following:
– Its own process

Method used:
    • Hidden from Windows API

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descrição enviada por Petre Galan em sexta-feira, 12 de fevereiro de 2010
Descrição atualizada por Petre Galan em sexta-feira, 12 de fevereiro de 2010

Voltar . . . .