Virus

W32/Deborm.R

Analysis

  • Virus is 32bit with a size of 70,144 bytes and is UPX compressed
  • Virus makes use of the NetBIOS transport protocol, thus if this protocol is not installed, it is not a threat for spreading within networks - virus seeks other systems to infect by scanning IP addresses within the current IP subnet
  • If a target system is found, the virus will attempt to copy itself to that system into the StartUp folder within Windows
  • Virus will write itself to the local machine if executed as two files –
    C:\Windows\litmus\SVCHOSTÿ.EXE
    C:\Windows\WINLOGON .EXE <= note space before period
    C:\Windows\System\Explorer .EXE <= note space before period
  • Virus will modify the system registry to load at Windows startup –
    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\
    LTM2 = C:\Windows\litmus\ SVCHOSTÿ.EXE

    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\
    NAV Live Update = C:\Windows\Start Menu\Programs\StartUp\(Worm filename)

    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\
    W1N32 = C:\Windows\WINLOGON .exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\
    Windows Explorer = Explorer .exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\RunServices\
    Windows Explorer = Explorer .exe

  • The files act as a remote access Trojan