|
Backdoor.Win32.IRCBot.st
| Category: |
Backdoor |
| Risk: |
Medium |
| Length: |
9'609 bytes (packed) |
| Platform: |
Windows 95, 98, Me, NT, 2000, Windows Server 2003, Windows XP |
| Aliases: |
IRC-Mocbot (McAfee), W32/Cuebot-M (Sophos), WORM_IRCBOT.JK, Win32/IRCBot.OO |
| Date discovered: |
08/12/2006 |
| Added to virus database: |
08/12/2006 |
| In-The-Wild / Epidemic: |
Yes |
Description
Backdoor.Win32.IRCBot.st is a worm and backdoor Trojan for the Windows platform, spreads via AOL Instant Messenger. Can spread to computers vulnerable to the Server Service exploit.
The following patch for the operating system vulnerability exploited by Backdoor.Win32.IRCBot.st can be obtained from the Microsoft website: http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
This worm installs itself in the WINDOWS SYSTEM directory (typically c:\windows\system32) as wgareg.exe or wgavm.exe
It creates a service(s) with the following properties:
Name: wgareg
Display name: Windows Genuine Advantage Registration Service
Description: Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.
Name: wgavm
Display name: Windows Genuine Advantage Validation Monitor
Description: Ensures that your copy of Microsoft Windows is genuine. Stopping or disabling this service will result in system instability.
(The "Windows Genuine Advantage"programs installed by Microsoft via Windows Update does not typically contain a wgareg.exe or wgavm.exe file in the WINDOWS SYSTEM directory)
This is a variant of Backdoor.Win32.IRCBot (aka IRC-Mocbot) that exploits the Microsoft Windows Server Service Buffer Overflow MS06-040 against Windows 2000 machines.
As in the older variants, this bot first attempts to connect to the following IRC servers on TCP 18067:
* xxx.househot.com
* xxxx.wallloan.com
The bot connects to a specified channel and awaits commands, including:
* DDoS
* Scan (for vulnerable systems)
* Download / execute remote files
Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds), looking for systems vulnerable to the MS06-040 vulnerability. When a vulnerable system is discovered, the infected host causes a buffer overflow to occur on the remote system, instructing it to download Mocbot, save it to the WINDOWS SYSTEM directory as a file named .exe and then execute it. Unlike many exploiting bots, Mocbot doesn't use FTP or TFTP to achieve the downloading, but rather contains its own downloader code. The remote system downloads the worm via a random TCP port..
Back to the virus-list
|
|
