W32/Bady.C

description-logoAnalysis

  • Virus exploits an indexing service (.ida) vulnerability in systems which run the IIS service - a request is made to retrieve data from the indexing service using a carefully crafted string which causes a buffer overflow and local code execution at the host
  • Virus installs itself memory resident on the target system and also drops a remote access Trojan which would allow a hacker control to the host - a reboot of the system will prevent the virus component from running again, unless the system becomes compromised again from another infection attempt from an outside source
  • Virus hooks routines from WS2_32.dll in order to attempt connections via http port 80 to other IP addresses where a server running IIS service could reside
  • Virus checks the language of the host system - if it is Chinese or Taiwan, virus creates 600 threads, otherwise 300 threads are generated; the threads represent attempts to reach other potential IP addresses which are generated at random
  • Virus attempts to copy CMD.EXE to these folders if they exist, as ROOT.EXE

    C:\Inetpub\Scripts\
    D:\Inetpub\Scripts\
    C:\Progra~1\Common~1\System\MSADC\
    D:\Progra~1\Common~1\System\MSADC\

    in order to allow a simple GET request to provide root access to the web server

  • Virus writes remote access Trojan as the file "C:\Explorer.exe" and if D: drive is available, also as "C:\Explorer.exe" - due to the location of this Trojan, it will be initiated when Explorer is called by the system

  • Virus contains the string "CodeRedII" in its code

Telemetry logoTelemetry