W32/DrudgeBot.A!worm

Alias/esBackdoor.Win32.IRCBot.et [KAV], CME-702, W32.Zotob.G [NAV], W32/DrudgeBot.1130-tr, W32/DrudgeBot.A!worm, Win32/Drugtob.A!Worm [CA], WORM_DRUDGEBOT.A [Trend]
Release DateMay 12, 2006
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.323
Description

Visible Symptoms

  • Creation of the folder "usrnt" in the System32 folder

  • The new folder "usrnt" contains the file "windrg32.exe", with a file size of 73,728 bytes

Detailed Analysis

  • This virus writes itself to a newly created subfolder of the System32 folder as "\usrnt\windrg32.exe"

  • When this virus is run, it registers to load at Windows startup via this registry key -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run\
    "WinDrg32" = %SYSTEM%\USRNT\WINDRG32.EXE

  • This virus binds to TCP port 6667 and connects to three IRC servers, awaiting instructions from a hacker -

    Spookestreet.afraid.org
    Spookystreet.udp-flood.com
    Spookystreet.m00p.org

  • The bot can process instructions such as these examples -
  • The bot can process instructions such as these examples -

    • crack.user - uses a dictionary method to guess the user name and the password of a target

    • scan.pnp - uses a scan routine coupled with an exploit against PnP [MS05-039]; additionally this function involves use of TFTP using TCP port 69

    • scan.range - returns to the IP address of target

    • bot.google - uses the online search engines "google.com", "yahoo.com" and "ebay.com" to search assigned information

    • bot.pwnzjoorface - using TCP port 6667, locates a new irc server.

    • download.update - downloading assigns procedure and movement

    • info.system - returns to detailed informaiton about the compromised system such as OS edition, memory size, user number, address and so on

    • thread.list - lists running threads / processes
  • The bot has these other functional instruction codes -
    Bot.sysup
    ! Addspy
    Clone.add
    Bot.test
    ! Test
    Kick

  • This virus eliminates the common Spyware/adware programs and registry entries

    • Deletes the following child directory (to be located "Program Files the" table of contents), deletes all subfolders and files -

      \AutoUpdate
      \EbatesMoeMoneyMaker
      \eZula
      \Common Files\GMT
      \Common Files\CMEII
      \CxtPls
      \NavExcel
      \Toolbar
      \Common Files\WinTools
      \180Solutions
      \Hotbar
      \MyWay
      \MyWebSearch
      \FunWebProducts

    • Terminates any files or processes running in memory matching these names -

      Qttask.exe
      Realsched.exe
      ViewMgr.exe
      NHUpdater.exe
      CxtPls.exe
      CMESys.exe

    • Deletes in the corresponding registration table start item of Run, RunOnce, RunServices

      WeatherOnTray
      EbatesMoeMoneyMaker
      AutoUpdater
      EZmmod
      Trickler
      CMESys
      QuickTime Task
      TkBellExe
      ViewMgr
      TBPS
      WinTools
      Tov
      Sais
      Msbb
      Saie
      180ax
      Lgbibsn
      Tov

Description Last Updated Date: Mar 13, 2007
Reference: ID - 71751