Internet threat level: 1
Home→Descriptions→Net-Worm.Win32.Padobot.z
Net-Worm.Win32.Padobot.z
| Detected | Apr 28 2007 14:39 GMT |
| Released | Apr 28 2007 14:39 GMT |
| Published | Sep 23 2005 10:41 GMT |
Technical Details
This network worm infects computers running Windows. The worm itself is a Windows PE EXE file 46592 bytes in size. It propagates via the Microsoft Windows LSASS vulnerability, which is detailed in Microsoft Security Bulletin MS04-011
Installation
Once launched, the worm copies itself to the Windows system directory under a random name, e.g:
%System%\Chdmla32.exe
It also creates the following files:
- C:\boot.sys - (approx. 16 KB). This file is infected with Trojan-Spy.Win32.Qukart.s
- %System%\<random file name>.dll - (approx. 6 KB). This file is infected with Net-Worm.Win32.Padobot.z
- %System%\drivers\ndisrd.sys - (approx. 15 KB). This file is clean.
- %System%\<random file name>.exe - (approx. 14 KB). This file is infected with Net-Worm.Win32.Padobot.z
- %System%\<random file name>.dll - (approx. 11 KB). This file is infected with Trojan-Spy.Win32.Qukart.s
It creates the following entries in the system registry:
[HKCR\CLSID\{random CLSID number}\InprocServer32]
(default) = "%System%\<random file name>.dll"
[HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"<random value>" = {random CLSID value}
[HKCU\Software\Microsoft\Windows]
"ifc" = "0x00000000"
Propagation
The worm selects IP addresses to attack and sends a request to TCP port 445. If the remote machine responds, the worm will launch its code on this machine by exploiting the LSASS vulnerability.
Payload
The worm terminates some processes connected with antivirus software and firewalls.
It also tracks Internet Explorer activity, and saves information about which sites are visited, and then sends this information to a remote malicious user.
Net-Worms propagate via computer networks. The distinguishing feature of this type of worm is that it does not require user action in order to spread.
This type of worm usually searches for critical vulnerabilities in software running on networked computers. In order to infect the computers on the network, the worm sends a specially crafted network packet (called an exploit) and as a result the worm code (or part of the worm code) penetrates the victim computer and activates. Sometimes the network packet only contains the part of the worm code which will download and run a file containing the main worm module. Some network worms use several exploits simultaneously to spread, thus increasing the speed at which they find victims.
Net-Worm.
- Trojan:
Generic BackDoor. l (McAfee) - W32/Doxpar-C (Sophos)
- Worm.
Korgo. Z (ClamAV) - Heuristic.
WinPE-Statistical (Panda) - W32/Berbew.
M (FPROT) - Backdoor:
Win32/Berbew. BE!dam (MS(OneCare)) - BackDoor.
HangUp. 26 (DrWeb) - Win32/Padodor.
NAU trojan (Nod32) - Backdoor.
Generic. 217296 (BitDef7) - Worm.
Padobot. B (VirusBuster) - Win32:
Padobot-I [Trj] (AVAST) - Net-Worm.
Win32. Padobot. Z (Ikarus) - BackDoor.
Generic7. ORM (AVG) - SYMBOS/Cardtrp.
A (AVIRA) - W32.
Ifbo. A (NAV) - W32/Berbew.
QF (Norman) - Backdoor.
Berbew. d (Rising) - Net-Worm.
Win32. Padobot. z [AVP] (FSecure) - BKDR_BERBEW.
Q (TrendMicro) - Trojan.
Win32. Generic!BT (Sunbelt) - Worm.
Padobot. B (VirusBusterBeta)
© 1997-2010 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.