VirusW32/Spybot.EO!worm
Analysis
- Virus is 32bit with a compressed file size of 55,199
bytes
- If the virus is run, it will move a copy of itself
to the undefinedWindowsundefined\System32 folder as "fucker.exe"
and modify the registry to auto run at next Windows
startup -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\
"spolerv.exe" = FUCKER.EXE gtb0t ##tester2## fuckpass (extra data)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"spolerv.exe" = FUCKER.EXE gtb0t ##tester2## fuckpass (extra data)
-
If virus is run, it will perform a DNS query against the IRC server "l3mer.hopto.org" in order to identify its known IP address (213.152.251.129)
-
Next the virus may attempt to connect to the IP address 213.152.251.129 using TCP port 6667
-
The virus will send the instruction "JOIN ##tester2## fuckpass" and await commands from a hacker or group of hackers
-
Some of the command supported include the following -
cd-rom
cmd
d0wn
delete
disconnect
execute
get
httpserver
info
kazaabackupfiles
keyboardlights
killprocess
killthread
list
listprocesses
login
makedir
opencmd
passwords
quit
raw
reboot
reconnect
redirect
redirectspy
rename
scan
sendkeys
sendto
server
shittall
spy
startkeylogger
stopkeylogger
stopredirectspy
stopspy
syn
threads
-
The virus may receive an instruction such as the following -
scan 24.x.x.x 445 3 nb
This instructs the virus to scan the 24 dot subnet using TCP port 445 (NetBIOS) in search of potential targets
-
The virus will then attempt to scan IP addresses using TCP port 445 in an effort to detect potential targets for infection - the destination port will begin near 1034 and continue sequentially, with periodic communication on known ports such as 1434 and others
-
If a system is located, the virus will attempt to connect to that system using weak logon user password combinations
-
Once a system is compromised, the virus will attempt to copy itself to that system by one of a few possible file names such as kaza.exe, fucker.exe or other file names
-
The virus will attempt to copy the file to any of the following folders if found -
Documents and Settings\All Users\Menu DTmarrer\Programmes\Dtmarrage
Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
Documents and Settings\All Users\Menu Start\Programma's\Opstarten
WINDOWS\All Users\Start Menu\Programs\StartUp
WINNT\Profiles\All Users\Start Menu\Programs\Startup
WINDOWS\Start Menu\Programs\Startup
Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup
-
The virus may also send information to the channel broadcasting information about the infected system
-
The virus will alter settings associated with the peer-to-peer file sharing application Kazaa - the virus will create a subdirectory into the current shared folder for Kazaa named "kazaabackupfiles" and modify the registry to point to this new location -
HKEY_CURRENT_USER\Software\Kazaa\LocalContent\
"Dir0" = 012345:undefinedkazaa share pathundefined\kazaabackupfiles\ (extra data)
-
The virus will write at least one copy of itself to the new location with a file name such as "download_me.exe"
-
Virus contains the string "SpyBot1.2" in its code
Recommended Action
- Block access to the IP address 213.152.251.129
- If the ports are not used, block use of TCP ports
445 and 6667 for Internal to External (INT -> EXT)
and External to Internal (EXT -> INT) traffic
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |