This virus is 32-bit with a packed file size of 68,611 bytes. This virus contains instructions to copy itself to other systems across a network LAN/WAN, and also respond to instructions received from a malicious user after first connecting to an IRC server and channel. When the virus copies itself to systems, the file is saved into the System32 folder as "cool.exe". The file is executed remotely, which then copies itself as "syslog32.exe" in the same folder.
This virus may terminate security applications which match a hard-coded list. This virus may also function as a small FTP server.
Loading At Windows Startup
If virus is run, it will copy itself to the local system into the drivers folder as "ntsyst32.exe" and set a registry entry to load the virus as a service at each Windows startup -
"Microsoft System Checkup" = wnetlogin.exe
"NT Logging Serivce" = syslog32.exe
The virus attempts to make an IRC server connection with a common IRC server named "irc.undernet.org". The connection uses a destination TCP port 6667. The connection is used mainly for communication messages however the open port can be used by a malicious user to send instructions to the virus.
Network Shares Infection Method
The virus may attempt to seek other machines on a network and attempt to penetrate them by using a dictionary attack method to log on to the target system, an RPC DCOM exploit or an LSASS exploit.
If a system is vulnerable, the virus attempts to copy itself to the target into these shares and hard-coded locales -
and Settings\All Users\Start Menu\Programs\Startup
C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
C$\WINNT\Profiles\All Users\Start Menu\Programs\Startup
C$\Documents and Settings\All Users\Start Menu\Programs\Startup
This virus may attempt to download files from hard-coded websites. For instance, instructions in the virus attempt to make a connection to 'maniacu2.homeftp.net' and retrieve the file "cool2.exe" then execute it. At the time of this writing, the file and server were not accessible.
When the virus begins targeting other systems, it may attempt to retrieve the downloaded file as "cool" using the following FTP instruction set -
HOSTS File Overwrite
The virus attempts to block the system and user from accessing certain Antivirus websites by overwriting the HOSTS file with invalid resolution details, as in this example -
The purpose of doing this is to prevent the infected host from updating its Antivirus software.
The virus contains these strings in its unpacked form -
---begin--- AV Guy READ: where do u come up with names like Donk.B? Put a reprezentative name like windr0ne ----end----
Windrone 8.1 final by Romanian 1337 hackers
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
- Using the FortiGate manager, block internal to external and external to internal access using TCP ports 6667 and 10051 - it may require defining ports as a service prior to blocking