This application requires Javascript for optimal performance.

W32/DrudgeBot.A!worm - Released Aug 16, 2005 - Last Updated Mar 13, 2007

Alias/es

Backdoor.Win32.IRCBot.et [KAV], CME-702, W32.Zotob.G [NAV], W32/DrudgeBot.1130-tr, W32/DrudgeBot.A!worm, Win32/Drugtob.A!Worm [CA], WORM_DRUDGEBOT.A [Trend]

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Creation of the folder "usrnt" in the System32 folder

  • The new folder "usrnt" contains the file "windrg32.exe", with a file size of 73,728 bytes

Detailed Analysis

  • This virus writes itself to a newly created subfolder of the System32 folder as "\usrnt\windrg32.exe"

  • When this virus is run, it registers to load at Windows startup via this registry key -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run\
    "WinDrg32" = %SYSTEM%\USRNT\WINDRG32.EXE

  • This virus binds to TCP port 6667 and connects to three IRC servers, awaiting instructions from a hacker -

    Spookestreet.afraid.org
    Spookystreet.udp-flood.com
    Spookystreet.m00p.org

  • The bot can process instructions such as these examples -
  • The bot can process instructions such as these examples -

    • crack.user - uses a dictionary method to guess the user name and the password of a target

    • scan.pnp - uses a scan routine coupled with an exploit against PnP [MS05-039]; additionally this function involves use of TFTP using TCP port 69

    • scan.range - returns to the IP address of target

    • bot.google - uses the online search engines "google.com", "yahoo.com" and "ebay.com" to search assigned information

    • bot.pwnzjoorface - using TCP port 6667, locates a new irc server.

    • download.update - downloading assigns procedure and movement

    • info.system - returns to detailed informaiton about the compromised system such as OS edition, memory size, user number, address and so on

    • thread.list - lists running threads / processes
  • The bot has these other functional instruction codes -
    Bot.sysup
    ! Addspy
    Clone.add
    Bot.test
    ! Test
    Kick

  • This virus eliminates the common Spyware/adware programs and registry entries

    • Deletes the following child directory (to be located "Program Files the" table of contents), deletes all subfolders and files -

      \AutoUpdate
      \EbatesMoeMoneyMaker
      \eZula
      \Common Files\GMT
      \Common Files\CMEII
      \CxtPls
      \NavExcel
      \Toolbar
      \Common Files\WinTools
      \180Solutions
      \Hotbar
      \MyWay
      \MyWebSearch
      \FunWebProducts

    • Terminates any files or processes running in memory matching these names -

      Qttask.exe
      Realsched.exe
      ViewMgr.exe
      NHUpdater.exe
      CxtPls.exe
      CMESys.exe

    • Deletes in the corresponding registration table start item of Run, RunOnce, RunServices

      WeatherOnTray
      EbatesMoeMoneyMaker
      AutoUpdater
      EZmmod
      Trickler
      CMESys
      QuickTime Task
      TkBellExe
      ViewMgr
      TBPS
      WinTools
      Tov
      Sais
      Msbb
      Saie
      180ax
      Lgbibsn
      Tov

Recommended Action



    FortiGate systems:

  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option


Reference: ID - 71751