Home / malwarePDF  

Worm:Win32/Slenfbot.AKD


First posted on 23 November 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Slenfbot.AKD is also known as W32/OnlineGames.AS.gen!Eldorado (Authentium (, Trojan.Win32.Jorik.IRCbot.mf (Kaspersky), Worm.Yimfoca!bBzJcTwhUMQ (VirusBuster), Win32/Yimfoca.AA (ESET), Worm.Win32.Slenfbot (Ikarus), Trojan.Win32.OnlineGames (Sunbelt Software), W32.Yimfoca (Symantec), TROJ_JORIK.AL (Trend Micro).

Explanation :

Worm:Win32/Slenfbot.AKD is a worm that spreads to other computers by using Instant Messaging programs. It sends a copy of itself disguised as a link to a codec required to watch a video.
Top

Worm:Win32/Slenfbot.AKD is a worm that spreads to other computers by using Instant Messaging programs. It sends a copy of itself disguised as a link to a codec required to watch a video. Installation When executed, Worm:Win32/Slenfbot.AKD copies itself into the Windows folder using the following file names:

  • nvsvc32.exg
  • nvsvc32.exe
  • It modifies the system registry so that it automatically runs every time Windows starts: In subkeys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "NVIDIA driver monitor" With data: "%windir%\nvsvc32.exe" It also modifies firewall settings to allow itself to access the network. Spreads via... Instant messaging programs Worm:Win32/Slenfbot.AKD spreads by sending a link to a copy of itself to all of a user's contacts in the following Instant Messaging programs:
  • Yahoo! Messenger
  • MSN/Live Messenger
  • It pretends that the link is pointing to a video that requires a special codec for viewing. However, the codec is actually a copy of the worm. Payload Modifies settings Worm:Win32/Slenfbot.AKD may try to stop the following services and then configure them to start manually:
  • wuauserv
  • MsMpSvc
  • It may also change the start page of Internet Explorer to a certain webpage. Terminates processes Worm:Win32/Slenfbot.AKD may attempt to terminate the following process:
  • msseces.exe
  • Connects to an IRC server Worm:Win32/Slenfbot.AKD may connect to certain Internet Relay Chat (IRC) servers to receive additional commands to perform on the computer. One server it is known to connect to is the following: 142.45.186.11 via port 1234

    Analysis by Daniel Radu

    Last update 23 November 2010

     

    TOP