Home / malware W32.Wabot.B
First posted on 27 October 2015.
Source: SymantecAliases :
There are no other names known for W32.Wabot.B.
Explanation :
When the worm is executed, it creates the following copies of itself with random data appended to the end:
%Windir%/win32dc/BattleField 1942 serial.exe %Windir%/win32dc/BattleField 1942(fix).exe %Windir%/win32dc/BattleField 1942_serial.exe %Windir%/win32dc/Counter-Strike(serial).exe %Windir%/win32dc/Counter-Strike_fix.exe %Windir%/win32dc/DAoC nocd.exe %Windir%/win32dc/Doom 3 cheat.exe %Windir%/win32dc/Doom 3(cheat).exe %Windir%/win32dc/Doom 3_hack.exe %Windir%/win32dc/FlatOut crack.exe %Windir%/win32dc/FlatOut(fix).exe %Windir%/win32dc/FlatOut_cheat.exe %Windir%/win32dc/Quake3 cheat.exe %Windir%/win32dc/Quake3(cdfix).exe %Windir%/win32dc/Quake3(nocd).exe %Windir%/win32dc/Quake3_cheat.exe %Windir%/win32dc/Quake3_fix.exe %Windir%/win32dc/Silent Hill 4_cdfix.exe %Windir%/win32dc/UT2004_fix.exe
The worm searches for files with the following extensions:
.exe.scr.com.pif.cmd.bat
It also searches for files with full file paths containing the word "share".
The worm renames itself with the same names as these files and adds random data to the end of its files to match the original files' length.
Note: It may or may not add a random amount of data below A000h bytes.
The worm attempts to connect to the following IRC server using a randomly generated user name/nick name/email address based on a list of hard-coded words:
us.undernet.org
The worm then joins the following hard-coded channel using the key "fuck21":
#vdm
Next, the worm waits for commands from the IRC server to allow it to perform the following actions:
Download and execute filesCollect computer informationSpread itself
The worm attempts to connect to a random IP address using the TCP ports 1639, 1640, 3127.
The worm attempts to update the following file:
dcplusplus.xml
The worm spreads through intranet shared folders, DC++ shared folders, and back door connections.Last update 27 October 2015