Virus

W32/Spybot.EO!worm

Analysis

  • Virus is 32bit with a compressed file size of 55,199 bytes
  • If the virus is run, it will move a copy of itself to the undefinedWindowsundefined\System32 folder as "fucker.exe" and modify the registry to auto run at next Windows startup -

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\
    "spolerv.exe" = FUCKER.EXE gtb0t ##tester2## fuckpass (extra data)

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    "spolerv.exe" = FUCKER.EXE gtb0t ##tester2## fuckpass (extra data)

  • If virus is run, it will perform a DNS query against the IRC server "l3mer.hopto.org" in order to identify its known IP address (213.152.251.129)

  • Next the virus may attempt to connect to the IP address 213.152.251.129 using TCP port 6667

  • The virus will send the instruction "JOIN ##tester2## fuckpass" and await commands from a hacker or group of hackers

  • Some of the command supported include the following -

    cd-rom
    cmd
    d0wn
    delete
    disconnect
    execute
    get
    httpserver
    info
    kazaabackupfiles
    keyboardlights
    killprocess
    killthread
    list
    listprocesses
    login
    makedir
    opencmd
    passwords
    quit
    raw
    reboot
    reconnect
    redirect
    redirectspy
    rename
    scan
    sendkeys
    sendto
    server
    shittall
    spy
    startkeylogger
    stopkeylogger
    stopredirectspy
    stopspy
    syn
    threads

  • The virus may receive an instruction such as the following -

    scan 24.x.x.x 445 3 nb

    This instructs the virus to scan the 24 dot subnet using TCP port 445 (NetBIOS) in search of potential targets

  • The virus will then attempt to scan IP addresses using TCP port 445 in an effort to detect potential targets for infection - the destination port will begin near 1034 and continue sequentially, with periodic communication on known ports such as 1434 and others

  • If a system is located, the virus will attempt to connect to that system using weak logon user password combinations

  • Once a system is compromised, the virus will attempt to copy itself to that system by one of a few possible file names such as kaza.exe, fucker.exe or other file names

  • The virus will attempt to copy the file to any of the following folders if found -

    Documents and Settings\All Users\Menu DTmarrer\Programmes\Dtmarrage
    Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
    Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
    Documents and Settings\All Users\Menu Start\Programma's\Opstarten
    WINDOWS\All Users\Start Menu\Programs\StartUp
    WINNT\Profiles\All Users\Start Menu\Programs\Startup
    WINDOWS\Start Menu\Programs\Startup
    Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
    Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
    Documents and Settings\All Users\Start Menu\Programs\Startup

  • The virus may also send information to the channel broadcasting information about the infected system

  • The virus will alter settings associated with the peer-to-peer file sharing application Kazaa - the virus will create a subdirectory into the current shared folder for Kazaa named "kazaabackupfiles" and modify the registry to point to this new location -

    HKEY_CURRENT_USER\Software\Kazaa\LocalContent\
    "Dir0" = 012345:undefinedkazaa share pathundefined\kazaabackupfiles\ (extra data)

  • The virus will write at least one copy of itself to the new location with a file name such as "download_me.exe"

  • Virus contains the string "SpyBot1.2" in its code

Recommended Action

  • Block access to the IP address 213.152.251.129
  • If the ports are not used, block use of TCP ports 445 and 6667 for Internal to External (INT -> EXT) and External to Internal (EXT -> INT) traffic