W32/BrepiBot.D!tr - Released Nov 10, 2005
|
Alias/esBackdoor.Ryknos [NAV], Backdoor.Win32.Breplibot.b [KAV], Troj/Stinx-E [Sophos], W32/BrepiBot!tr, W32/Brepibot-tr, W32/Ryknos.A [F-Prot] |
| CME-589 |
Detailed AnalysisWhen first launched, the virus performs the following actions :
- it copies itself in the \%System%\ directory as $sys$drv.exe
- it does delete the initial file
- it stays idle until it Internet access is available
Startup
Adds nothing in the registry to start upon a new boot.
IRC Server Connection / Bot Activity
Once it can access internet, it tries to reach the following addresses :
24.210.44.45
68.101.14.76
152.1.24.186
67.171.67.190
152.7.24.186
35.10.203.93
When connection is established, it tries to login onto the IRC server with IDs
:
NICK [0000-XP]qnifymb
USER bujlxaf . . :$$sony$$
None of the server was reachable (connections were either refused or timeout)
The strings qnifymb and bujlxaf are certainly some kind of IDs (they change
over time).
Additional payloads
It stops the service "kmixer".
|
