WORM_WOOTBOT.HE

Malware type: Worm

Aliases: Backdoor.Win32.Wootbot.gen (Kaspersky), W32/Sdbot.worm.gen.h (McAfee), W32.Spybot.Worm (Symantec), Worm/WootBot.135168 (Avira), Worm:Win32/Wootbot (Microsoft)

In the wild: No

Destructive: No

Language: English

Platform: Windows 95,98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm arrives as OFFICEXP.EXE on target machines. It spreads by dropping a copy of itself in a list of accessible network shares.

It may also spread by taking advantage of machines vulnerable to Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Bulletin MS04-011 and Trend Micro's Vulnerability Description for MS04-011.

This worm connects to an IRC server and joins different channels, where it listens for commands from a remote malicious user. The said commands are executed locally on affected machines.

It terminates a list of processes, which are related to antivirus applications as well as to different malware programs.

For additional information about this threat, see:

Description created: Mar. 14, 2005 11:18:12 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 135,168 Bytes

Ports used: Varies

Initial samples received on: Mar 14, 2005

Compression type: Molebox

Details:

Installation and Autostart

Upon execution, this worm drops a copy of itself as OFFICEXP.EXE in the Windows system folder.

It creates the following autostart entries to ensure its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
OFFICEXP = "OFFICEXP.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
OFFICEXP = "OFFICEXP.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
OFFICEXP = "OFFICEXP.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
OFFICEXP = "OFFICEXP.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce
OFFICEXP = "OFFICEXP.exe"

This worm also adds the following registry key as part of its installation routine:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\OFFICEXP

Network Propagation

This worm spreads by dropping a copy of itself in the following network shares:

  • ADMIN$
  • C$
  • D$
  • IPC$

It may also spread by taking advantage of machines vulnerable to Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Bulletin MS04-011 and Trend Micro's Vulnerability Description for MS04-011.

Backdoor Capabilities

This worm connects to an IRC server and joins different channels, where it listens for commands from a remote malicious user. The said commands, such as the following, are executed locally on affected machines:

  • Change IRC channels and servers and also nicks
  • Flush the DNS cache
  • Download, execute, and send files using FTP, DCC OR UDP
  • Visit certain Web sites
  • Perform a denial of service attack against certain Web sites
  • Log keystrokes
  • List processes
  • List logs

Process Termination

This worm terminates the following processes, which are related to antivirus applications as well as to different malware programs:

  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • 0x1fe.exe
  • ad-watch.exe
  • agentw.EXE
  • agobot.exe
  • apvxdwin.EXE
  • avkpop.EXE
  • avkservice.EXE
  • avkwctl9.EXE
  • avpm.EXE
  • bbeagle.exe
  • bircd.exe
  • blackd.EXE
  • ccApp.EXE
  • ccEvtMgr.EXE
  • ccPxySvc.EXE
  • change.exe
  • cleaner.EXE
  • cleaner3.EXE
  • cmd.exe
  • cmd1.exe
  • cmd2.exe
  • cpd.EXE
  • Crypto3.jpg
  • CSRSR.exe
  • CSRSRS.exe
  • CSSSS.exe
  • d3dupdate.exe
  • defalert.EXE
  • defscangui.EXE
  • expore.exe
  • F-AGOBOT.EXE
  • fameh32.EXE
  • fbi.exe
  • fch32.EXE
  • fih32.EXE
  • fnrb32.EXE
  • forbot.exe
  • fsaa.EXE
  • fsav32.EXE
  • fsgk32.EXE
  • fsm32.EXE
  • fsma32.EXE
  • fsmb32.EXE
  • f-stopw.EXE
  • gbmenu.EXE
  • gbpoll.EXE
  • gov.exe
  • HIJACKTHIS.EXE
  • i11r54n4.exe
  • iamapp.EXE
  • iamserv.EXE
  • iexplorer.exe
  • inst.EXEexplore32.exe
  • irun4.exe
  • jpg.exebot.exe
  • lockdown2000.EXE
  • lsass2.exe
  • lssas.exe
  • msconfig.exe
  • mscvb32.exe
  • norton123.exe
  • notstart.EXE
  • novarg_upx.zip
  • npscheck.EXE
  • ntrtscan.EXE
  • nvsvc32.EXE
  • opr0371I.js
  • PandaAVEngine.exe
  • pavproxy.EXE
  • pccntmon.EXE
  • pccwin97.EXE
  • pcscan.EXE
  • Penis32.exe
  • phatbot.exe
  • photo.zip
  • pic33.scr
  • rapapp.EXE
  • rate.exe
  • rbot.exe
  • regedit.exe
  • rtvscan.EXE
  • rxb1ot.exe
  • rxbot.exe
  • sbserv.EXE
  • serasa.exe
  • serasa.exe.a
  • smsss.exe
  • spybot.exe
  • ssate.exe
  • sub7.exe
  • svchosting.exe
  • sysinfo.exe
  • SysMonXP.exe
  • taskmg.exe
  • taskmgr.exe
  • taskmgr1.exe
  • Tcpview.exe
  • Tcpview1.exe
  • vbcmserv.EXE
  • vshwin32.EXE
  • vsmon.EXE
  • winagent.exe
  • windowsupdate.exe
  • winset32.exe
  • winsys.exe
  • winupd.exe
  • wircd.exe
  • WrAdmin.EXE
  • WrCtrl.EXE
  • wuarclt.exe
  • wupdate.exe
  • XPF202EN.EXE
  • ZAPRO.EXE
  • zapro.EXE
  • ZAPSETUP3001.EXE
  • ZATUTOR.EXE
  • ZAUINST.EXE
  • ZONALM2601.EXE
  • ZONEALARM.EXE

Platform

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Analysis By: Melvin Dantis Dadios


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 2.494.00

Pattern release date: Mar 15, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Template / Engine.

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process.

  1. Open Windows Task Manager.
    � On Windows 95, 98, and ME, press
    CTRL%20ALT%20DELETE
    � On Windows NT, 2000, and XP, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the process:
    OFFICEXP.exe
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    OFFICEXP = "OFFICEXP.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    OFFICEXP = "OFFICEXP.exe"
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunOnce
  7. In the right panel, locate and delete the entry:
    OFFICEXP = "OFFICEXP.exe"
  8. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  9. In the right panel, locate and delete the entry:
    OFFICEXP = "OFFICEXP.exe"
  10. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>RunOnce
  11. In the right panel, locate and delete the entry:
    OFFICEXP = "OFFICEXP.exe"

Removing Added Malware Entries

  1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>System>CurrentControlSet>Services
  2. Still in the left panel, locate and delete the following key:
    OFFICEXP
  3. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_WOOTBOT.HE. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.

Applying Patches

This malware exploits a known vulnerability in Windows. Download and install the fix patch supplied by Microsoft in the following page:

Refrain from using the affected software until the appropriate patch has been installed.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.