VirusW32/Acebot.A
Analysis
- Threat runs as a remote access Trojan and has the
ability to copy itself to other systems in a networked
environment
- Virus seeks other systems within a LAN environment
and attempts to map a drive to these systems as
drive W:
- If the virus is successful, it will attempt
to copy itself to the host into the startup folder
in order to launch at Windows startup -
C:\Windows\Start Menu\Programs\StartUp\mssg.exe
However, if the target system Windows folder is not named "Windows", infection will not occur.
-
The virus then writes a zero byte "marker" file, or a flag, to note that the system has already become infected -
C:\Windows\SYSTEM\MSSZ.INI
- Virus seeks other systems within a LAN environment
and attempts to map a drive to these systems as
drive W:
- Virus may disable the following firewall software
applications -
Sygate Personal Firewall
Tiny Personal Firewall
ZoneAlarm -
When virus is run, it copies itself to the Windows\System folder with a name randomly generated with an .EXE file extension, and the registry is modified to run the virus at next Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
Microsoft Diagnostic =
C:\WINDOWS\SYSTEM\(random filename).exe -
Virus ranges from 160 Kb to 180 Kb
- Virus acts as an IRC bot and listens for commands
from a hacker, such as instructions to initiate one
of three attack methods against other victims by using
UDP, IGMP or Ping floods
- Virus may monitor the following IRC channels
and post messages there relating to the status
of the virus, such as posting the IP address of
infected users -
#_california_
#acronymm
#allaboard_trans
#asaf_joseff
#backstreetgirls
#bombard
#Bombastic_ppl
#cattles
#circumvent
#concurrent
#contender
#day_before_after
#dvds_rw
#exhaustive
#fussyddr
#goodnightkiss
#hemisphere
#home_teen
#i_will_loveu
#illuminating
#ironman
#micro_fly
#microdot
#next_summer
#pioneergroup
#premium
#presumable
#renaissance
#saimonsays
#satellitespy
#seven_days2
#sky_is_limit
#slashhim
#sround_allavs
#sweetjoseff
#the_matrix2
#the_vendetta
#thesixnight
#tiresome
#tony_hock
#touch_sky
#tout-x
#ur_in_army
#viperv6
#VisualFantasy
#visualvideo
#warez_gamez
#welcome_2_us
#wheezeguy
#who_is_it
#windowsXp2
#x_club
- Virus may monitor the following IRC channels
and post messages there relating to the status
of the virus, such as posting the IP address of
infected users -
- Virus attempts to update itself by downloading
an .EXE from this Internet URL
"http://angelfire.lycos.com/film/joseff". However, the page no longer exists.
- Virus contains the string
"By Newbie-pro - Israel"
- Virus is not related to legitimate package, "Acebot
Metatag Generator"
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |