Home / malware Backdoor.K0wbot.1.2 / 1.3.A / 1.3.B
First posted on 21 November 2011.
Source: BitDefenderAliases :
Backdoor.K0wbot.1.2 / 1.3.A / 1.3.B is also known as W32.Kwbot.Worm.
Explanation :
This is another Internet worm that uses the popular file sharing KaZaA network to spread; besides this, it includes an IRC remote control backdoor component. It is written in C and the executable is compressed and crypted; it also uses some protection techniques to make reverse-engineering difficult.
When run, the virus copies itself as explorer32.exe in the Windows System folder and registers this copy to be run at every Windows start-up by creating the registry entries described above.
The virus creates a temporary file c:moo.reg that is used to set the value of the registry entry
[HKCUSoftwareKazaaLocalContentDisableSharing]
to 0 (in order to enable sharing of KaZaA files).
The virus makes aprox. 150 copies of itself in the KaZaA shared folder, using the names of appealing software/media files:
The backdoor component connects to an IRC (Internet Relay Chat) server and allows remote control of the infected computer (after a password authentification), including the ability to perform the following actions on the "victim" computer:
updating the virus by downloading a newer version;
reporting information about the infected system (CPU speed, memory, operating system version, uptime, Internet connection type, local IP address etc.);
reporting installed software (by sending the file c:moo.txt which lists the subfolders of the Program Files folder);
performing different IRC commands, including flooding of other users of the chat server.Last update 21 November 2011
