VirusW32/Vanebot.AT
Analysis
- Sample is packed with Themida.
- Copies itself to the undefinedSystemundefined\dllcache folder as winsntp.exe, then runs this copy.
- Deletes the original file after execution.
Registry Modification
- Adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEMOREX_NETWORK_ANALYSIS_TOOL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Memorex Network Analysis Tool
Network Propagation
- Attempts to connect to $IPC shares in the network by using the following user names and passwords:
- 00
- 000
- 0000
- 00000
- 000000
- 0000000
- 00000000
- 12
- 123
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- abc
- abc123
- access
- adm
- admin
- alpha
- anon
- anonymous
- asdfgh
- backdoor
- backup
- beta
- bin
- coffee
- computer
- crew
- database
- debug
- default
- demo
- free
- go
- guest
- hello
- install
- internet
- login
- manager
- money
- monitor
- network
- new
- newpass
- nick
- nobody
- nopass
- one
- oracle
- pass
- passwd
- password
- poiuytre
- private
- pub
- public
- qwerty
- random
- real
- remote
- root
- ruler
- sa
- secret
- secure
- security
- server
- setup
- shadow
- shit
- sql
- super
- sys
- system
- telnet
- temp
- test
- test1
- test2
- visitor
- web
- windows
- www
- Propagates by exploiting the "SQL Server 7.0 Service Pack Password" Vulnerability.
Instant Messenger Propagation
- Sends copies itself to all contacts in the following messenger applications:
- AOL Instant Messenger
- ICQ
- MSN Messenger
- Yahoo Messenger
Backdoor Behavior
- Stops the following antivirus services:
- Norton AntiVirus Auto Protect Service
- Mcshield
- Panda Antivirus
- Sets itself up as an FTP server.
- Steal confidential information such as passwords.
- Attempts to terminate certain processes that have the following strings:
- Ad-aware
- anti
- avg
- avp
- blackice
- firewall
- f-pro
- hijack
- kav
- lockdown
- mcafee
- nod32
- norton
- proc
- reged
- spybot
- spyware
- troja
- viru
- vsmon
- zonea
- Connects to an Internet Relay Chat (IRC) server and listens for commands that allow the remote attacker to perform any of the following actions:
- Remove itself from the system
- Join a channel
- Part from a channel
- Update IRC nick
- Download files
- Update itself
- Spread through instant messengers
- Scan for exploits
- Log keystrokes
- Flood specified servers with SYN packets
- Kill processes
- Get system information
- Format drives
- Sniff the network
Recommended Action
-
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Patch
- Download and install the patch for the >"SQL Server 7.0 Service Pack Password" Vulnerability : http://www.microsoft.com/technet/security/bulletin/MS00-035.mspx.
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |