Selected viruses, spyware, and other threats: sorted alphabetically
Win32/IRCBot.OO |
Introduction:
IRCBot.OO is an 8219 byte, typical IRC Bot that uses a PnP vulnerability to spread. The bot is patched by xor'ing all code sections with 0x5A (character "Z") and after this is runtime compressed by MEW, an executable runtime packer.
Installation and Autostart Techniques:
Upon execution, the bot copies itself into the %System% folder as "wpa.exe".
The bot deletes the original file after successful copy process.
Note: %System% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.
The bot adds the following key to the registry to make sure that every time windows is started it is run as a system service configured for automatic startup:
HKLM\ system\controlset\services\wpa
"imagepath" = "%System%\wpa.exe"
The bot claims to be a "Windows Product Activation" Service, with the service description text of "Windows Product Activation is an anti-piracy technology designed to verify that software products have been legitimately licensed."
Win32/IRCBot.OO also modifies the following registry keys:
HKLM\Software\Microsoft\OLE
"EnableDCOM" = "n"
in order to disable DCOM and
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
"restrictanonymous" = "1"
The file "dcpromo.log" is then created in the %Windows%\Debug folder, and its attributes are set to read-only
The Bot creates a mutex "wpa" to avoid multiple running instances of the bot on the same machine.
Exploiting Technologies:
The bot generates random IP addresses and attempts to connect on port 445 of the generated IPs to exploit the Plug and Play buffer overflow vulnerability [see MS05-039]. If the vulnerability exploit is successful, it executes code (shellcode) on the target machine.
Code Injection:
If the Bot is unable to start its service, it injects its code into Explorer.Exe
Backdoor Functionality:
The Bot tries to connect to ypgw.wallloan.com on port 18067.
The bot also provides IRC-Backdoor functionality with the following functions:
Flooding (UDP, Syn)
Downloading files
Downloading new bot updates
Executing files
Notifying IRC Channels/Operator via private message
Restarting the computer
Removing components
It tries to connect to IRC Channel "#p4" with fixed login data.
References:
http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
History: Analysis and Write-up by: Michael St. Neitzel
© 1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.
