Virus Characteristics
This is a worm that propagates through MSN messenger and drops a variant of W32/Sdbot.worm.gen.t
worm.
The worm drops a copy of itself into the C:\ directory using any of the following filenames:
- LOL.scr
- Webcam.pif
- bedroom-thongs.pif
- naked_drunk.pif
- LMAO.pif
- ROFL.pif
- underware.pif
- Hot.pif?
- new_webcam.pif
A copy of the worm is dropped in %SYSDIR% as msnus.exe
, where %SYSDIR% is either C:\windows\system32 or C:\winnt\system32.
The W32/Sdbot.worm.gen.t
worm is dropped as c:\winnt\system32\winhost.exe (124,416 bytes). The specified DATs include detection for this dropped bot.
When executed, the bot runs stealthily in the background. It makes the following changes to the registry:
- HKEY_CURRENT_USER\Software\Microsoft\OLE
"win32" = winhost.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run "win32" = winhost.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion \RunServices "win32" = winhost.exe
As with the multitude of other W32/Sdbot.worm
variants, this one bears the following characteristics (the list is not exhaustive, just representative of some of the functionality the bot provides to the hacker):
- connects to a remote IRC server (destination port xx TCP) to await remote commands
- enables remote command to spawn functionality such as:
- denial of service attack against remote machines
- start FTP server
- proxy (HTTP, SOCKS)
- scan local subnet for machines to propagate to over the network. Specifically targets machines vulnerable to:
- LSASS vulnerability
- DComRPC vulnerability
- Mydoom backdoor
- Kuang backdoor
- Netdevil backdoor
- DameWare vulnerability
- W32/Bagle backdoor
- poorly secured machines (worm carries large list of usernames and passwords it attempts to brute force with)
- run keylogger on victim machine
- harvest data from victim machine. This includes:
- passwords
- keys/passwords for several applications which are harvested from a lookup on many Registry keys the worm carries
- browse/kill/start/pause running processes