Home / malwarePDF  

Backdoor.K0wbot.1.2 / 1.3.A / 1.3.B


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Backdoor.K0wbot.1.2 / 1.3.A / 1.3.B is also known as W32.Kwbot.Worm.

Explanation :

This is another Internet worm that uses the popular file sharing KaZaA network to spread; besides this, it includes an IRC remote control backdoor component. It is written in C and the executable is compressed and crypted; it also uses some protection techniques to make reverse-engineering difficult.

When run, the virus copies itself as explorer32.exe in the Windows System folder and registers this copy to be run at every Windows start-up by creating the registry entries described above.

The virus creates a temporary file c:moo.reg that is used to set the value of the registry entry

[HKCUSoftwareKazaaLocalContentDisableSharing]

to 0 (in order to enable sharing of KaZaA files).

The virus makes aprox. 150 copies of itself in the KaZaA shared folder, using the names of appealing software/media files:



The backdoor component connects to an IRC (Internet Relay Chat) server and allows remote control of the infected computer (after a password authentification), including the ability to perform the following actions on the "victim" computer:

updating the virus by downloading a newer version;
reporting information about the infected system (CPU speed, memory, operating system version, uptime, Internet connection type, local IP address etc.);
reporting installed software (by sending the file c:moo.txt which lists the subfolders of the Program Files folder);
performing different IRC commands, including flooding of other users of the chat server.

Last update 21 November 2011

 

TOP