ThreatExpert Report: W32.Spybot.Worm, Backdoor.Win32.Rbot.bzc, W32/Gaobot.worm.gen.e, W32/Rbot-Fam..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 3 October 2012, 16:17:50
Processing time: 9 min 40 sec
Submitted sample:

File MD5: 0x38D0BF20648DAD08F5283D92C8D853EA
File SHA-1: 0x344FABB7D14B34005A2BB025013B83D43ECD4DCA
Filesize: 128,000 bytes
Alias:

W32.Spybot.Worm [Symantec]
Backdoor.Win32.Rbot.bzc [Kaspersky Lab]
W32/Gaobot.worm.gen.e [McAfee]
W32/Rbot-Fam [Sophos]
Backdoor:Win32/IRCbot.gen!Z [Microsoft]
Backdoor.Rbot [Ikarus]
Win32/IRCBot.worm.variant [AhnLab]

Summary of the findings:

What's been found	Severity Level
A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots).
Capability to perform DoS attacks against other computers.
Capability to terminate Antivirus, Firewall and other security related processes.
Replication across networks by exploiting weakly restricted shares (common for Randex family of worms).
Communication with a remote IRC server.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\1.reg	37 bytes	MD5: 0x28DD35FCC1BC0AAF341A9416B479515D SHA-1: 0x22A78FA066E974B502AED609E9E6B2559E9810FA	(not available)
2	%System%\antivir.exe [file and pathname of the sample #1]	128,000 bytes	MD5: 0x38D0BF20648DAD08F5283D92C8D853EA SHA-1: 0x344FABB7D14B34005A2BB025013B83D43ECD4DCA	W32.Spybot.Worm [Symantec] Backdoor.Win32.Rbot.bzc [Kaspersky Lab] W32/Gaobot.worm.gen.e [McAfee] W32/Rbot-Fam [Sophos] Backdoor:Win32/IRCbot.gen!Z [Microsoft] Backdoor.Rbot [Ikarus] Win32/IRCBot.worm.variant [AhnLab]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
antivir.exe	%System%\antivir.exe	1,261,568 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	1,261,568 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\OLE

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]

EnableRemoteConnect = "N"
TcpMaxDupAcks = 0x00000001
TcpWindowSize = 0x0007D200
TcpRecvSegmentSize = 0x00000585
DefaultTTL = 0x00000030
TcpSendSegmentSize = 0x00000585
TcpMaxHalfOpen = 0x0000004B
TcpMaxHalfOpenRetried = 0x00000050
TcpTimedWaitDelay = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Avira Antivir PE = "antivir.exe"

so that antivir.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

Avira Antivir PE = "antivir.exe"

so that antivir.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]

TcpWindowSize = 0x0007D200
DefaultTTL = 0x00000030
TcpMaxHalfOpenRetried = 0x00000050
TcpTimedWaitDelay = 0x00000000
TcpMaxHalfOpen = 0x0000004B
MaxNormLookupMemory = 0x00030D40
FFPControlFlags = 0x00000001
FFPFastForwardingCacheSize = 0x00030D40
MaxForwardBufferMemory = 0x00019DF7

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

TcpWindowSize = 0x0007D200
DefaultTTL = 0x00000030
TcpMaxHalfOpenRetried = 0x00000050
TcpTimedWaitDelay = 0x00000000
TcpMaxHalfOpen = 0x0000004B
MaxNormLookupMemory = 0x00030D40
FFPControlFlags = 0x00000001
FFPFastForwardingCacheSize = 0x00030D40
MaxForwardBufferMemory = 0x00019DF7

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

MaxConnectionsPer1_0Server = 0x00000050
MaxConnectionsPerServer = 0x00000050
ForwardBroadcasts = 0x00000000
ForwardBufferMemory = 0x00019DF7
IPEnableRouter = 0x00000000
Domain = ""
SearchList = ""
UseDomainNameDevolution = 0x00000001
EnableICMPRedirect = 0x00000000
DeadGWDetectDefault = 0x00000001
DontAddDefaultGatewayDefault = 0x00000000
EnableSecurityFilters = 0x00000001
AllowUnqualifiedQuery = 0x00000000
PrioritizeRecordData = 0x00000001
TCP1320Opts = 0x00000003
KeepAliveTime = 0x00023280
BcastQueryTimeout = 0x000002EE
BcastNameQueryCount = 0x00000001
CacheTimeout = 0x0000EA60
Size/Small/Medium/Large = 0x00000003
LargeBufferSize = 0x00001000
SynAckProtect = 0x00000002
PerformRouterDiscovery = 0x00000000
EnablePMTUBHDetect = 0x00000000
FastSendDatagramThreshold = 0x00000400
StandardAddressLength = 0x00000018
DefaultReceiveWindow = 0x00004000
DefaultSendWindow = 0x00004000
BufferMultiplier = 0x00000200
PriorityBoost = 0x00000002
IrpStackSize = 0x00000004
IgnorePushBitOnReceives = 0x00000000
DisableAddressSharing = 0x00000000
AllowUserRawAccess = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\OLE]

Avira Antivir PE = "antivir.exe"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]

EnableDCOM =

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]

restrictanonymous =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

restrictanonymous =

Other details

To mark the presence in the system, the following Mutex object was created:

V m0d

The following port was open in the system:

Port	Protocol	Process
113	TCP	antivir.exe (%System%\antivir.exe)

The following Host Name was requested from a host database:

ns3.captain-packet.net

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
ns3.captain-packet.net	3900

Outbound traffic (potentially malicious)

Attention! There was a new connection established with a remote IRC Server. The generated outbound IRC traffic is provided below:

Heuristics Analysis

Heuristically identified capability to terminate the following security related processes:

_avp32.exe
_avpcc.exe
_avpm.exe
cmd.exe
msblast.exe
taskmon.exe
tds2-nt.exe
teekids.exe
tfak.exe
tfak5.exe
tgbob.exe
titanin.exe
titaninxp.exe
tracert.exe
trickler.exe
trjscan.exe
trjsetup.exe
trojantrap3.exe
tsadbot.exe
tvmd.exe
tvtmd.exe
undoboot.exe
updat.exe
update.exe
upgrad.exe
utpost.exe
vbcmserv.exe
vbcons.exe
vbust.exe
vbwin9x.exe
vbwinntw.exe
vcsetup.exe
vet32.exe
vet95.exe
vettray.exe
vfsetup.exe
vir-help.exe
virusmdpersonalfirewall.exe
vnlan300.exe
vnpc3000.exe
vpc32.exe
vpc42.exe
vpfw30s.exe
vptray.exe
vscan40.exe
vsched.exe
vsecomr.exe
vshwin32.exe
vsisetup.exe
vsmain.exe
vsmon.exe
vsstat.exe
vswin9xe.exe
vswinntse.exe
vswinperse.exe
w32dsm89.exe
w9x.exe
watchdog.exe
webdav.exe
webscanx.exe
webtrap.exe
wfindv32.exe
wgfe95.exe
whoswatchingme.exe
wimmun32.exe
win32.exe
win32us.exe
winactive.exe
win-bugsfix.exe
window.exe
windows.exe
wininetd.exe
wininit.exe
wininitx.exe
winlogin.exe
winmain.exe
winnet.exe
winppr32.exe
winrecon.exe
winservn.exe
winssk32.exe
winstart.exe
winstart001.exe
wintsk32.exe
winupdate.exe
wkufind.exe
wnad.exe
wnt.exe
wradmin.exe
wrctrl.exe
wsbgate.exe
wupdater.exe
wupdt.exe
wyvernworksfirewall.exe
xpf202en.exe
zapro.exe
zapsetup3001.exe
zatutor.exe
zonalm2601.exe
zonealarm.exe

Heuristically identified capability of spreading across the following weakly restricted network shares:

The network replication uses a dictionary attack by probing credentials from the following list:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.