Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:30/05/2007
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:499.712 Bytes
MD5 checksum:c44df8425589705fcd32694a3a7a77ac
IVDF version: - Wednesday, May 30, 2007

 General Methods of propagation:
   • Local network
   • Messenger

   •  Mcafee: W32/
   •  Kaspersky: Backdoor.Win32.VanBot.da
   •  F-Secure: Backdoor.Win32.VanBot.da
   •  Sophos: W32/Vanebot-AT
   •  Panda: W32/IRCbot.AUU.worm
   •  Grisoft: IRC/BackDoor.SdBot3.BJA
   •  Eset: Win32/IRCBot.UG

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\dllcache\winsntp.exe

It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\
   Memorex Network Analysis Tool]
   • Type = 110
   • Start = 2
   • ErrorControl = 0
   • ImagePath = %SYSDIR%\dllcache\winsntp.exe
   • DisplayName = Memorex Network Analysis Tool
   • ObjectName = LocalSystem
   • FailureActions = %hex values%
   • Description = Memorex Network tool is a TCP analysis tool.

– [HKLM\SYSTEM\CurrentControlSet\Services\
   Memorex Network Analysis Tool\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\
   Memorex Network Analysis Tool\Enum]
   • Count = 1
   • NextInstance = 1

 Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger
– ICQ Messenger
– Windows Live Messenger
– Yahoo Messenger

All entries in the contact list.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It uses the following login information in order to gain access to the remote machine:

– A list of usernames and passwords:
   • www; windows; web; visitor; test2; test1; test; temp; telnet; ruler;
      remote; real; random; qwerty; public; pub; private; poiuytre;
      password; passwd; pass; oracle; one; nopass; nobody; nick; newpass;
      new; network; monitor; money; manager; mail; login; internet; install;
      hello; guest; free; demo; default; debug; database; crew; computer;
      coffee; bin; beta; backup; backdoor; anonymous; anon; alpha; adm;
      access; abc123; abc; system; sys; super; sql; shit; shadow; setup;
      security; secure; secret; 123456789; 12345678; 1234567; 123456; 12345;
      1234; 123; 00000000; 0000000; 000000; 00000; 0000; 000; server;
      asdfgh; admin; root

It makes use of the following Exploits:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)

Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: 66.64.36.**********
Port: 4904
Channel: #net#
Nickname: 0]USA|%Windows version%[P]%several random digits%

– This malware has the ability to collect and send information such as:
    • Cached passwords
    • CPU speed
    • Current user
    • Details about drivers
    • Free disk space
    • Free memory
    • Malware uptime
    • Size of memory
    • Username
    • Information about the Windows operating system

– Furthermore it has the ability to perform actions such as:
    • Launch DDoS SYN flood
    • Download file
    • Execute file
    • Perform network scan
    • Start keylog
    • Start spreading routine
    • Terminate malware
    • Terminate process

 Process termination Processes with one of the following strings are terminated:
   • Ad-aware; spyware; hijack; kav; proc; norton; mcafee; f-pro; lockdown;
      firewall; blackice; avg; vsmon; zonea; spybot; nod32; reged; avp;
      troja; viru; anti

List of services that are disabled:
   • Norton AntiVirus Auto Protect Service
   • Mcshield
   • Panda Antivirus

 Backdoor The following ports are opened:

%SYSDIR%\dllcache\winsntp.exe on a random TCP port in order to provide an FTP server.
%SYSDIR%\dllcache\winsntp.exe on a random TCP port in order to provide a Socks 4 proxy server.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Themida

Description inserted by Andrei Gherman on Wednesday, October 24, 2007
Description updated by Andrei Gherman on Wednesday, October 24, 2007

Back . . . .