IM-Flooder.Win32.Bancos.x

Technical Details

This network worm infects computers running Windows. The worm itself is a Windows PE EXE file written in Visual C++. The worm file may be packed with one of a range of packers, and therefore the size of the file may vary. The packed file will be approximately 49KB or larger, and the unpacked file is between 160KB and 280KB in size.

The virus propagates via the Microsoft Windows LSASS vulnerability, which is detailed in Microsoft Security Bulletin MS04-011 and the Microsoft Windows DCOM RPÑ vulnerability which is detailed in Microsoft Security Bulletin MS03-026

The worm also spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.

The worm contains a backdoor which receives commands via IRC channels.

Installation

Once launched, the worm copies itself to the Windows system directory as WindowsFirewall.exe:

%System%\WindowsFirewall.exe

It also creates copies of itself in the C: root directory under the following names:

C:\funny_pic.scr
C:\my_photo2005.scr
C:\see_this!!.scr

It then registers itself in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
[HKCU\Software\Microsoft\OLE]
[HKLM\Software\Microsoft\OLE]
 "Windows Firewall"="WindowsFirewall.exe"

The worm also creates a file called hellmsn in the C: root directory. This file is approximately 6KB in size, and will be detected by Kaspersky Anti-Virus as Net-Worm.Win32.Mytob.f.

Propagation via the Internet

The worm selects IP addresses to attack. If the LSASS or DCOM RPC vulnerabilies are detected on the potential victim machine, the worm will launch its code on this computer.

Propagation via email

The worm harvests email addresses from the MS Windows address books and also from files with the following extensions:

adb
asp
dbx
htm
php
pl
sht
tbb
wab

The worm does not harvest addresses which contain the following strings:

.edu
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
you
your

The worm establishes a direct connection to the recipient's SMTP server in order to send messages.

Infected messages

Sender (includes one of the names listed below):

• adam
• alex
• andrew
• anna
• bill
• bob
• brenda
• brent
• brian
• britney
• bush
• claudia
• dan
• dave
• david
• debby
• fred
• george
• helen
• jack
• james
• jane
• jerry
• jim
• jimmy
• joe
• john
• jose
• julie
• kevin
• leo
• linda
• lolita
• madmax
• maria
• mary
• matt
• michael
• mike
• peter
• ray
• robert
• sam
• sandra
• serg
• smith
• stan
• steve
• ted
• tom

Message subject (chosen from the list below):

• <blank field>
• Error
• Good day
• Hello
• Mail Delivery System
• Mail Transaction Failed
• Server Report
• Status

Message body (chosen from the list below):

• Here are your banks documents.
• Mail transaction failed. Partial message is available.
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• The original message was included as an attachments.

Attachment name (chosen from the list below):

• body
• data
• doc
• document
• file
• message
• readme
• test
• text

The attachment may have a single or double extension, with extensions being chosen from the list below:

• bat
• cmd
• com
• doc
• exe
• htm
• tmp
• txt
• zip

Remote administration

Net-Worm.Win32.Mytob.x opens TCP port 6667 on the victim machine to listen for commands via IRC channels. This provides a remote malicious user with full access to the victim machine, making it possible to access information on the system, download, launch and delete files.

Other

The worm modifies the %System%\drivers\etc\hosts file by adding the text below. This means that the user will be unable to access the sites listed below from the victim machine.

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com