Virus

W32/Lamin.B

Analysis

  • Virus is 32bit with a viral body of 32,924 bytes
  • The virus infects 32bit files on the local system and also runs as a remote access Trojan allowing hackers the ability to connect with the infected system and send IRC commands to the system
  • The virus may be introduced to the system from another infected user across a network share, or from an infected IRC user
  • If the virus is run, it may terminate applications or services related to Antivirus programs or firewall programs such as ZoneAlarm
  • The virus will then infect other EXE files on the local system - infected files will grow by at least 32,000 bytes, but in some cases, the increase is as much as 36,000 bytes
  • The virus code is appended to infected files, and the entry point of the infected file is modified to point directly into the virus code
  • When the virus code finishes running, it passes control back to the host program
  • Although infected files grow in size, the time and date stamp is not modified, therefore searching for files modified in the last day will not display files which have become infected
  • The virus will write a .DLL file with a random file name to the local system and modify the registry to load the virus at next Windows startup, as in this example -

    HKEY_CLASSES_ROOT\CLSID\
    {52F7FFDF-D0CF-5CC3-5F4F-C6D8F7D65F0D}\InProcServer32\
    "(Default)" = C:\WINNT\System32\Ldidghgj.dll
    "ThreadingModel" = Apartment

  • The virus may write its code in encrypted format as a random file name to two locations -

    undefinedTempundefined\aliypqht.vcu (31,964 bytes)
    undefinedWindowsundefined\system32\Ldidghgj.dll (31,964 bytes)

  • The virus will run a DNS query for several IRC servers in order to identify a usable IP address for connecting -

    IRC.DAL.NET
    IRC.ARKHNET.COM
    IRC.RTDPTRX.ES
    POWERTECH.NO.EU.DAL.NET

  • The virus will connect with one of these servers using TCP port 6667 and await commands from the channel

Recommended Action

  • If IRC chat is not used in your organization, disallow connections to the following web addresses using the URL block feature of FortiGate -

    IRC.DAL.NET
    IRC.ARKHNET.COM
    IRC.RTDPTRX.ES
    POWERTECH.NO.EU.DAL.NET

  • If IRC chat is not used in your organization, disallow connections from