W32/Bady.C
Analysis
- Virus exploits an indexing service (.ida) vulnerability
in systems which run the IIS service - a request is
made to retrieve data from the indexing service using
a carefully crafted string which causes a buffer overflow
and local code execution at the host
- Virus installs itself memory resident on the target
system and also drops a remote access Trojan which
would allow a hacker control to the host - a reboot
of the system will prevent the virus component from
running again, unless the system becomes compromised
again from another infection attempt from an outside
source
- Virus hooks routines from WS2_32.dll in order to
attempt connections via http port 80 to other IP addresses
where a server running IIS service could reside
- Virus checks the language of the host system -
if it is Chinese or Taiwan, virus creates 600 threads,
otherwise 300 threads are generated; the threads represent
attempts to reach other potential IP addresses which
are generated at random
- Virus attempts to copy CMD.EXE to these folders
if they exist, as ROOT.EXE
C:\Inetpub\Scripts\
D:\Inetpub\Scripts\
C:\Progra~1\Common~1\System\MSADC\
D:\Progra~1\Common~1\System\MSADC\in order to allow a simple GET request to provide root access to the web server
-
Virus writes remote access Trojan as the file "C:\Explorer.exe" and if D: drive is available, also as "C:\Explorer.exe" - due to the location of this Trojan, it will be initiated when Explorer is called by the system
-
Virus contains the string "CodeRedII" in its code