| Description | Visible Symptoms
- Creation of the file "per.exe" into the
System32 folder, with a file size of 31,744 bytes
Detailed Analysis* This virus writes itself to the System32 folder as
"per.exe" and creates a Mutex named "B-O-T-Z-O-R"
to prevent loading more than one instance
* When this virus is run, it registers to load at Windows
startup via the registry -
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"WINDOWS SYSTEM" = \per.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
"WINDOWS SYSTEM" = \per.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"WINDOWS SYSTEM" = \per.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
"WINDOWS SYSTEM" = \per.exe
* The virus will alter Internet Explorer registry settings
-
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
start = "4"
Used to prevent Windows 2000/XP shared access
* The virus blocks access attempts to various Antivirus
and security vendor sites by modifying the "hosts."
domain name resolution file; all modified site names
are redirected back to the infected host; copy of modified
"hosts" file below -
www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
kaspersky-labs.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
pandasoftware.com
www.pandasoftware.com
www.trendmicro.com
www.grisoft.com
www.microsoft.com
microsoft.com
www.virustotal.com
virustotal.com
www.amazon.com
www.amazon.co.uk
www.amazon.ca
www.amazon.fr
www.paypal.com
paypal.com
moneybookers.com
www.moneybookers.com
www.ebay.com
ebay.com
* This virus contains the following text string but
is not displayed -
msn: Botzor2 pnp+asn+mail spread. Greetz to good friend
Coder. Based On HellBot3
F-secure, sophos ok wait bitchs! ! !
* This virus binds to TCP port 33333 and can receive
common FTP commands such as USER, PASS, SYST, REST,
PWD, TYPE, PORT, RETR, QUIT and so on
* The virus connects to the IRC server named "diabl0.turkcoders.net"
using TCP port 8080 awaiting instructions from a hacker
* The virus starts up to 200 processes to search for
other computers using TCP port 445 - for each system
found, the virus sends PnP exploit code to that system
[an attack against pre-MS05-039 systems]
* If an attack is successful against the target, the
infected system binds with TCP port 8888 and awaits
hacker instructions
* This virus can spread to other systems using its
own SMTP code engine - the virus gathers email addresses
from the usual suspects (files that end in these extensions)
-
'* txt', '* htmb', '* shtl', '* jspl'
'* cgil', '* xmls', '* phpq', '* aspd'
'* dbxn', '* tbbg', '* adbh', '* pl'
'* html', '* wab'
* The virus avoids using names that have these strings
-
Abuse, security, admin, support, contact, webmaster,
Info, samples, postmaster, webmaster, noone, nobody,
Nothing, anyone, someone, your, you, me, bugs, Rating,
site, contact, soft, no, somebody, privacy, Service,
help, not, submit, feste, ca, gold-certs, The.bat, page,
Syma, icrosof, msn., hotmail, panda, sopho, borlan,
inpris, Example, mydomai, nodomai, ruslis, gov, gov.,
mil, foo., Unix, math, bsd, mit.e, gnu, fsf., ibm.com,
google, Kernel, linux, fido, usenet, iana, ietf, rfc-ed,
Sendmail, arin., ripe., isi.e, isc.o, secur, acketst,
Pgp, tanford.e, utgers.ed, mozilla, icrosoft, support,
Ntivi, unix, bsd, linux, listserv, certific, google,
accoun
* the virus spoofs the "sender" email address
and uses any of these names as a sender "From"
-
"john", "josh", "alex",
"michael", "james", "mike",
"kevin", "david", "george",
"sam", "andrew", "jose",
"leo", "maria", "jim",
"brian", "serg", "mary",
"ray", "tom", "peter",
"robert", "bob", "jane",
"joe", "dan", "dave",
"matt", "steve", "smith",
"stan", "bill", "bob",
"jack", "fred", "ted",
"paul", "brent", "sales",
"anna", "brenda", "claudia",
"debby", "helen", "jerry",
"jimmy", "julie", "linda",
"michael", "frank", "adam",
"barbara", "erik", "contact",
"sandra"
* the virus creates emails with any of the following
subject lines -
Warning! !
**Warning**
Hello
Confirmed...
Important!
* the virus uses any of these as inserted body text
into the new message -
Looooool
We found a photo of you in...
That's your photo! ! ?
Hey! !
0K here is it!
* The virus will have a name such as these -
Photo
Your_photo
Image
Picture
Sample
Loool
Webcam_photo
with one of these extensions - Pif, scr, exe, cmd,
bat |