Backdoor.IRCBot.ST
SINTOMI: 1. Presence of wgareg.exe file in %SYSTEMDIR% 3. Presence of a service with the following properties: Name: wgareg This service will be restarted by Windows if it is killed. DESCRIZIONE TECNICA: The file is packed and encrypted to hide it's malicious code. When is first run, the virus starts a thread that will check if the program is being debugged, and will immediately exit if it discovers an user-level debugger. On next step, will copy itself in windows system directory, then will install itself as a windows service with name "wgareg". The service is configured so, it will be automatically restarted by windows if it is killed. Next, the virus will start explorer.exe in suspend mode, then will inject code in this process. The injected code, has to wait for the virus to exit, and then will erase the file. After erasing the file, the process will exit. Same, after installing the service, the virus will exit. Next, the virus is started by windows because now it is registered as a service. The virus is started from %SYSTEMDIR%\\wgareg.exe. This time, the virus will skip the installation part, and will begin the main activity. First, will create a mutex named "wgareg", for exclusivity. Next, it will disable the windows security center firewall, and anti-virus monitors by modifying registry keys, and will create dcpromo.log in %WINDIR%\\Debug\\ , size 0 bytes. This way, it will protect the computer against MS04-011 vulnerability. Next, it will try to connect to irc-server net32.vr0k.com.ar on port 18067, and will attempt to join a password-protected channel named #N1.The nickname is random created and it's form is N1-xxxxxxxx, where xxxxxxxx is a random number. After connecting, it stays and listens in background for commands. ISTRUZIONI DI RIMOZIONE: Stop the service, and then remove HKLM\\System\\CurrentControlSet\\Services\\wgareg from registry, kill the process, then erase %SYSTEMROOT%\\wgareg.exe ANALIZZATO DA: Marius Tivadar, virus researcher |