Arrival and Installation
Upon execution, this memory-resident backdoor program creates a folder named D0E0T1 in the Windows system folder.
It drops the following files in the said folder:
- CALCU.EXE (27,136 Bytes) - this file collects the list of running processes on the system
- DIR32.EXE (25,088 Bytes) - this is an ip scanner program
- DIROTE.EXE (566,784 Bytes) - this file is a modified mIRC application which compromises the current system. E.g., It can transform the current system into a file server to enable remote users to connect to it. Trend Micro detects this file as TROJ_BOTIRC.A
- DOROD.EXE (46,080 Bytes) - this is an ip scanner program
- KLTYE.EXE (37,376 Bytes) - this is a network administration tool which is also known as PSEXEC.EXE. It is used to manage remote computers.
- KOLDER.EXE (17,408 Bytes) - this is a tool used to execute applications in stealth mode
- ROUDSTID.EXE (175,104 Bytes) - this is a tool that scans for vulnerabilities
- VAN32.EXE (3,568 Bytes) - this is a tool used to hide applications that are currently executing
It creates the following registry entry to ensure its automatic execution at every system startup:
rn4d = "%System%\d0e0t1\kolder.exe %system32%\d0e0t1\dirote.exe"
%System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
This worm has backdoor capabilities. It acts as a server program controlled by an IRC Bot.
Once connected, this IRC Bot is capable of sending commands to the server program. These commands are used to control the target system and the behavior of the bot.
With the IRC console, the bot inputs the commands to the console and waits to receive information from the server.
The following are Bot commands used by the bot to control the malware server program:
- Remotely execute a file
- Display and retrieve system information
- Scan system for vulnerabilities
- Hide running applications
This malware is compressed using WinRAR.
Analysis by: Bryant Tan