Summary
Win32/IRCBot.worm.81719 is one of the variants of Win32/IRCBot.worm. The worm spreads by exploiting known Windows vulnerabilities and a weak user account password. When executed, it creates csrss.exe (81,719 bytes) , unsecapp32.exe (74,279 bytes), wbemstest.exe (77,854 bytes) in the Windows System folder\wbem Folder. in the %system% \wbem Folder.The worm adds a Windows registry entry to run itself automatically whenever Windows starts. Also it connects the system to a particular IRC server channel and takes malicious actions commanded by the Oper.
Content
* Method of Infection
|
[OS Vulnerability]
The worm spreads by exploiting Windows security vulnerabilities just like other variants of Win32/IRCBot.worm.
MS03-039 RPC DCOM2
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
MS04-031 Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege
http://www.microsoft.com/technet/security/bulletin/MS04-031.mspx
MS06-040 Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
|
* Symptoms after Execution
|
[Creating Files]
It creates following file(s) in Windows system folder \wbem
- csrss.exe (81,719 bytes)
- unsecapp32.exe (74,279 bytes)
- wbemstest.exe (77,854 bytes)
[Adding a Windows Registry Entry]
It adds the following value on Windows registry to be executed whenever Windows starts.
HKEY_CURRENT_USER\
Software\
Microsoft\
OLE
Server Runtime Process = Windows system folder \wbem\unsecapp32.exe
HKEY_CURRENT_USER\
Software\
Microsoft\
Windows\
CurrentVersion\
Run
Server Runtime Process = Windows system folder \wbem\unsecapp32.exe
HKEY_CURRENT_USER\
Software\
Microsoft\
Windows\
CurrentVersion\
RunServices
Server Runtime Process = Windows system folder \wbem\unsecapp32.exe
HKEY_CURRENT_USER\
SYSTEM\
CurrentControlSet\
Control\
Lsa
Server Runtime Process = Windows system folder \wbem\unsecapp32.exe
HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Ole
Server Runtime Process = Windows system folder \wbem\unsecapp32.exe
HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Windows\
CurrentVersion\
Run
Server Runtime Process = Windows system folder \wbem\unsecapp32.exe
HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Windows\
CurrentVersion\
RunServices
Server Runtime Process = Windows system folder \wbem\unsecapp32.ex
It adds the following value on Windows registry to avoid a firewall in system.
HKEY_LOCAL_MACHINE\
SYSTEM\
CurrentControlSet\
Services\
SharedAccess\
Parameters\
FirewallPolicy\
StandardProfile\
AuthorizedApplications\
List
%system% \wbem\csrss.exe = Windows system folder \wbem\csrss.exe:*:enabled:client server runtime process
HKEY_LOCAL_MACHINE\
SYSTEM\
CurrentControlSet\
Services\
SharedAccess\
Parameters\
FirewallPolicy\
StandardProfile\
AuthorizedApplications\
List
%system% \wbem\unsecapp32.exe = Windows system folder \wbem\unsecapp32.exe:*:enabled:server runtime process
HKEY_LOCAL_MACHINE\
SYSTEM\
CurrentControlSet\
Services\
SharedAccess\
Parameters\
FirewallPolicy\
StandardProfile\
AuthorizedApplications\
List
%system% \wbem\wbemstest.exe = Windows system folder \wbem\wbemstest.exe:*:enabled:server runtime process
[Email Transmission]
Following is the email address:
201.248.151.17 , ??(7654)
198.78.81.43 , ??(80)
Note) Addresses have been partially omitted with *s.
|
* Working as a Malicious IRC Bot
|
It tries to connect the system to a particular IRC server channel. When the try is successful, it can take malicious actions commanded by the Oper.
Following is the actions that can be performed by the infected system. However, these malicious activities can't be carried out when IRC server operator closes the particular channel.
- Executing and deleting files
- Uploading and downloading files
- Leaking the system and network information
[IRC Server List]
201.248.151.17 , port(7654)
198.78.81.43 , port(80)
Note) Addresses are partially omitted with *s.
|
|
