sobota 19. května 2012

Backdoor:Win32/IRCbot.DL


Encyklopedický vstup
Aktualizováno: 17.dubna 2011  |  Zveřejněno: Mar 01, 2010 Aliasy


  • W32/Autorun.worm.aae (McAfee)
  • WORM_AUTORUN.EWS (Trend Micro)
  • Worm.Win32.AutoRun.atdx (Kaspersky)
  • W32.SillyFDC (Symantec)

Úroveň pohotovosti (?)
Těžká

Antimalware Ochrana údajů
Microsoftdoporučuje, aby si stáhnout nejnovější definice , aby si chráněné.
Detection last updated:
Definition: 1.125.1774.0
Released: May 14, 2012
Detection initially created:
Definition: 1.71.833.0
Released: Dec 14, 2009


 

Summary

Backdoor:Win32/IRCbot.DL is a backdoor trojan that may execute commands from a remote attacker. These commands include sending system information, participating in Distributed Denial of Service (DDos) attacks, and downloading and executing arbitrary files.


 

Symptoms

System changes
The following system changes may indicate the presence of this malware:

Presence of the following file/s:
%appdata%\Microsoft\win32bit.exe
%appdata%\Microsoft\desktop.exe
%appdata%\Microsoft\balls.exe
%appdata%\Microsoft\winlog.exe
%appdata%\Microsoft\audio service.exe
%appdata%\Microsoft\windows.exe
%appdata%\Microsoft\scvhost.exe
%appdata%\Microsoft\slideshow.exe
%appdata%\Microsoft\csrss.exe
%appdata%\Microsoft\abodeg.exe
 
The presence of the following registry modifications or similar:
 
Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: <filename>
With data: “%appdata%\Microsoft\<filename>”
 
For example:
 
Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "win32bit.exe"
With data: “%appdata%\Microsoft\win32bit.exe


 

Technical Information (Analysis)

Backdoor:Win32/IRCbot.DL is a backdoor trojan that may execute commands from a remote attacker. These commands include sending system information, participating in Distributed Denial of Service (DDos) attacks, and downloading and executing arbitrary files.
Installation
Backdoor:Win32/IRCbot.DL is typically installed as a hidden file to the %appdata%\Microsoft folder. It may use file names such as the following:
 
win32bit.exe
desktop.exe
balls.exe
winlog.exe
audio service.exe
windows.exe
scvhost.exe
slideshow.exe
csrss.exe
abodeg.exe
 
Note - %appdata% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the %appdata% folder for Windows XP is C:\Documents and Settings\<user>\Application Data; and for Vista, and Windows 7 is C:\Users\<user>\AppData\Roaming.
 
It then launches the new copy.
 
It creates the following registry entry to ensure that it is launched upon system startup:
 
Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: <file name>
With data: “%appdata%\Microsoft\<filename>”
 
For example:
 
Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "win32bit.exe"
With data: “%appdata%\Microsoft\win32bit.exe
 
It uses a mutex such as “3OoG0LGF%@\xo1I” to ensure that no more than one copy can run at a time.
Spreads via…
Removable drives
Some (but not all) variants periodically check whether removable drives are attached, and if so copy themselves as a hidden file to the root folder of the drive, using the same filename as above. They also place a hidden autorun.inf file in the root folder of the drive, in order to attempt to run the malware when the drive is attached to another system.
 
Once it has done so, the malware reports which drives were infected to the backdoor server (see below).
Payload
Allows backdoor access and control
The malware connects to a remote server, often on one of ports 3085, 3174, 3176, or 3178, and sends various system information including:
  • User name
  • Computer name
  • Processor type and speed
  • Operating System Version
  • System locale
 
Examples of servers used at the time of publication include:
 
ry4n.no-ip.info
f8l.no-ip.info
J1Z.no-ip.info
m3tu55.redirectme.net
e9w.no-ip.biz
travy.no-ip.info
drones23.no-ip.org
filter55.webhop.info
secure-connection.serveftp.com
prodigy3.dyndns.info
 
The backdoor’s controller may issue the following commands:
  • Download and execute arbitrary files
  • Update itself
  • Start or stop SYN or UDP based DDoS attacks
  • Send application privileges (Administrator or restricted) and system uptime
  • List running processes
  • Terminate processes
  • List titles and details of open windows
  • Display a message box
  • Stop running
  • Uninstall itself
  • Steal Mozilla Firefox password details

Žádné komentáře:

Okomentovat