Encyklopedický vstup
Aktualizováno: 17.dubna 2011 | Zveřejněno: Mar 01, 2010 Aliasy
Úroveň pohotovosti (?)
Těžká
Antimalware Ochrana údajů
Microsoftdoporučuje, aby si stáhnout nejnovější definice , aby si chráněné.
Aktualizováno: 17.dubna 2011 | Zveřejněno: Mar 01, 2010 Aliasy
-
W32/Autorun.worm.aae (McAfee)
- WORM_AUTORUN.EWS (Trend Micro)
- Worm.Win32.AutoRun.atdx (Kaspersky)
- W32.SillyFDC (Symantec)
Úroveň pohotovosti (?)
Těžká
Antimalware Ochrana údajů
Microsoftdoporučuje, aby si stáhnout nejnovější definice , aby si chráněné.
Detection last updated: Definition: 1.125.1774.0 Released: May 14, 2012 | Detection initially created: Definition: 1.71.833.0 Released: Dec 14, 2009 |
Summary
Backdoor:Win32/IRCbot.DL is a backdoor trojan that may execute commands from a remote attacker. These commands include sending system information, participating in Distributed Denial of Service (DDos) attacks, and downloading and executing arbitrary files.
Symptoms
System changes
The following system changes may indicate the presence of this malware:
Presence of the following file/s:
%appdata%\Microsoft\win32bit.exe
%appdata%\Microsoft\desktop.exe
%appdata%\Microsoft\balls.exe
%appdata%\Microsoft\winlog.exe
%appdata%\Microsoft\audio service.exe
%appdata%\Microsoft\windows.exe
%appdata%\Microsoft\scvhost.exe
%appdata%\Microsoft\slideshow.exe
%appdata%\Microsoft\csrss.exe
%appdata%\Microsoft\abodeg.exe
The presence of the following registry modifications or similar:
Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: <filename>
With data: “%appdata%\Microsoft\<filename>”
For example:
Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "win32bit.exe"
With data: “%appdata%\Microsoft\win32bit.exe”
Technical Information (Analysis)
Backdoor:Win32/IRCbot.DL is a backdoor trojan that may execute commands from a remote attacker. These commands include sending system information, participating in Distributed Denial of Service (DDos) attacks, and downloading and executing arbitrary files.
Installation
Backdoor:Win32/IRCbot.DL is typically installed as a hidden file to the %appdata%\Microsoft folder. It may use file names such as the following:
win32bit.exe
desktop.exe
balls.exe
winlog.exe
audio service.exe
windows.exe
scvhost.exe
slideshow.exe
csrss.exe
abodeg.exe
Note - %appdata% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the %appdata% folder for Windows XP is C:\Documents and Settings\<user>\Application Data; and for Vista, and Windows 7 is C:\Users\<user>\AppData\Roaming.
It then launches the new copy.
It creates the following registry entry to ensure that it is launched upon system startup:
Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: <file name>
With data: “%appdata%\Microsoft\<filename>”
For example:
Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "win32bit.exe"
With data: “%appdata%\Microsoft\win32bit.exe”
It uses a mutex such as “3OoG0LGF%@\xo1I” to ensure that no more than one copy can run at a time.
Spreads via…
Removable drives
Some (but not all) variants periodically check whether removable drives are attached, and if so copy themselves as a hidden file to the root folder of the drive, using the same filename as above. They also place a hidden autorun.inf file in the root folder of the drive, in order to attempt to run the malware when the drive is attached to another system.
Once it has done so, the malware reports which drives were infected to the backdoor server (see below).
Payload
Allows backdoor access and control
The malware connects to a remote server, often on one of ports 3085, 3174, 3176, or 3178, and sends various system information including:
- User name
- Computer name
- Processor type and speed
- Operating System Version
- System locale
Examples of servers used at the time of publication include:
ry4n.no-ip.info
f8l.no-ip.info
J1Z.no-ip.info
m3tu55.redirectme.net
e9w.no-ip.biz
travy.no-ip.info
drones23.no-ip.org
filter55.webhop.info
secure-connection.serveftp.com
prodigy3.dyndns.info
The backdoor’s controller may issue the following commands:
- Download and execute arbitrary files
- Update itself
- Start or stop SYN or UDP based DDoS attacks
- Send application privileges (Administrator or restricted) and system uptime
- List running processes
- Terminate processes
- List titles and details of open windows
- Display a message box
- Stop running
- Uninstall itself
- Steal Mozilla Firefox password details
Žádné komentáře:
Okomentovat