Net-Worm.Win32.Padobot.m

Technical Details

Padobot.m infects computers running under Windows. The worm itself is a Windows PE EXE file approximately 10KB in size, packed using UPX. The unpacked file is approximately 24KB in size.

The worm propagates by exploiting a vulnerability in Microsoft Windows LSASS. This vulnerability is described in detail in Microsoft Security Bulletin MS04-011

The worm contains a backdoor function.

Installation

Once launched, the worm copies itself to the Windows system directory under a random name. For example:

%System%\gytotrn.exe

Then the worm registers this file as a key in the system registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Cryptographic Service" = "%System%\>random name<.exe"

This ensures that the worm will be launched each time the infected machine is rebooted.

It also creates a registry key:

[HKLM\SOFTWARE\Microsoft\Wireless]
"ID" = "<random value>"

It creates the mutex "uterm19" to flag its presence in the system.

Propagation

The worm starts its propagation routine, selecting IP addresses to attack, and sending a request to TCP port 445. If the remote computer responds, then the worm launches its code on the victim machine, by utilizing the LSASS vulnerability.

Other

The worm opens a random TCP port in order to receive commands. The backdoor function provides a malicious remote attacker with full access to the victim machine.

Padobot.m attempts to receive commands and transmit data, while connecting to several IRC channels:

• adult-empire.com
• asechka.ru
• citi-bank.ru
• color-bank.ru
• crutop.nu
• cvv.ru
• fethard.biz
• filesearch.ru
• kavkaz.tv
• kidos-bank.ru
• konfiskat.org
• master-x.com
• mazafaka.ru
• parex-bank.ru
• roboxchange.com
• www.redline.ru
• xware.cjb.net