Home / malwarePDF  

Worm:Win32/Slenfbot.gen!D


First posted on 20 July 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Slenfbot.gen!D is also known as Win-Trojan/Slenfbot.375808 (AhnLab), W32/Buzus.TM (Authentium (Command)), Win32/Slenfbot.JL (CA), Win32/AutoRun.IRCBot.DZ (ESET), Worm.Win32.Slenfbot (Ikarus).

Explanation :

Worm:Win32/Slenfbot.gen!D is the generic detection for a worm that spreads via removable drives and instant messaging programs. It may also modify the computer's firewall settings and security settings. It can also terminate and/or stop certain antivirus processes, contact a remote server, flush the DNS cache, and allow backdoor access and control.
Top

Worm:Win32/Slenfbot.gen!D is the generic detection for a worm that spreads via removable drives and instant messaging programs. It may also modify the computer's firewall settings and security settings. It can also terminate and/or stop certain antivirus processes, contact a remote server, flush the DNS cache, and allow backdoor access and control. Installation When executed, Worm:Win32/Slenfbot.gen!D drops a copy of itself in the Windows system folder using a variety of file names. It then executes its copy and deletes itself. Some of the file names the copy in the Windows system folder has been known to use are:

  • wcoredk.exe
  • wmiptsd.exe
  • wcoredn.exe
  • It creates a mutex named "Mut3x" and opens a mutex named "send". To ensure that it automatically runs every time Windows starts, Worm:Win32/Slenfbot.gen!D creates the following registry entries: Adds value: "conime.exe" With data: "conime.exe" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "Debugger" With data: "<malware file name>" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe The file "conime.exe" is the IME proxy process for the Windows Server 2003 console. This ensures that when the legitimate Windows file "conime.exe" is run at every Windows start, the malware file is also run. Spreads via€¦ Removable drives Worm:Win32/Slenfbot.gen!D spreads by copying itself to all available removable drives. Its copy in the removable drive has various names. It also creates an "autorun.inf" file to allow its copy to automatically run when the drive is accessed and Autorun is enabled. Instant messaging programsWorm:Win32/Slenfbot.gen!D sends links to copies of itself to a user's contacts in certain instant messaging programs, such as "MSN Messenger". Payload Modifies firewall settings Worm:Win32/Slenfbot.gen!D modifies the Windows firewall settings to allow itself to bypass the firewall: Adds value: "<malware file name>" WIth data: "<malware file name> :*:enabled:lan router" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Adds value: "<malware file name>" WIth data: "<malware file name> :*:enabled:lan router" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List Modifies system security settings Worm:Win32/Slenfbot.gen!D attempts to bypass DEP ("Data Execution Prevention") in Windows by creating the following registry entry: Adds value: "<malware file name>" With data: "disablenxshowui" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers Terminates processes Some samples of Worm:Win32/Slenfbot.gen!D attempt to terminate antivirus and analysis programs, such as the following:
  • msrt.exe
  • msmpeng.exe
  • lordpe.exe
  • procdump.exe
  • processmonitor.exe
  • taskmon.exe
  • Some samples of Worm:Win32/Slenfbot.gen!D have also been known to prevent certain antivirus programs from running, such as the following: K7RTScan K7TSMngr avast! Antivirus VSServ Allows backdoor access and control Worm:Win32/Slenfbot.gen!D attempts to connect to an IRC channel, possibly to allow backdoor access and control. It is known to connect to the following IRC servers:
  • ns28.sup3rb0x4you.co.uk
  • ns118.l1v3h0st4all61.me.uk
  • using various ports, such as 5213 and 41040. Connects to a remote server Worm:Win32/Slenfbot.gen!D tries to download an updated version of itself from a certain remote server. Some of the servers it is known to connect to are the following:
  • secure.ultrah0stint24.org.uk
  • upd.messenger-update.ru
  • Flushes DNS cache Worm:Win32/Slenfbot.gen!D flushes the DNS cache by running the following command: ipconfig /flushdns

    Analysis by Daniel Radu

    Last update 20 July 2010

     

    TOP