Home / malwarePDF  

Worm:Win32/Zombaque.A


First posted on 07 February 2013.
Source: Microsoft

Aliases :

Worm:Win32/Zombaque.A is also known as Worm/Win32.Zombaque (AhnLab), W32/Zombaque.A (Norman), Worm/Zombaque.A (Avira), Win32/Zombaque.A worm (ESET), Worm.Win32.Zombaque (Ikarus), W32/Zombaque.gen.a (McAfee), W32/Zombaque-A (Sophos), WORM_BIZOME.SMD (Trend Micro).

Explanation :



Installation

The worm may arrive on your computer as "ipz.tmp". It is moved to the folder "%systemroot%\system32" and is renamed as "ipz.exe".

Note: %SystemRoot% refers to a variable location that is determined by the malware by querying the operating system. The default location for the SystemRoot folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Windows".

It creates the following registry entries so that it automatically runs as a service:

In subkey: HKLM\System\CurrentControlSet\Services\ipz
Sets value: "DisplayName"
With data: "Intelligent p2p zombie"

It uses the service name "IPZ".

Spreads via...

Radmin program

Worm:Win32/Zombaque.A checks if other computers in the network have TCP port 4899 open, which may indicate that these are accessible using Radmin. It tries to connect to these computers using a combination of certain user names and passwords, and copies itself to these computers if it successfully connects.

The worm uses a number of user names and passwords in its attempt to gain access to the computers using Radmin; please see the Additional information section below for a list of user names and passwords it uses.

It drops a copy of itself in these accessible computers as "ipz.tmp", which, similar to its Installation method, is moved and renamed and run as a service.



Payload

Joins a botnet

Worm:Win32/Zombaque.A turns your computer into a node in a botnet, which is composed of other computers also infected with Worm:Win32/Zombaque.A. It communicates with these computers through TCP port 310 to perform commands sent by a remote attacker. A remote attacker may choose to do any of the following:

  • Download and run arbitrary files
  • Upload data taken from an infected computer
Additional information

This worm has the following command line options:

  • --install - installs this worm and creates a service named "IPZ"
  • --remove - removes this worm and deletes the service
  • --log - logs events that happen on the computer
  • --service - runs the worm payload


The following are some examples of user names and passwords the worm uses to gain access to other computers:

Usernames:
  • 1
  • 111111
  • 123
  • 123456
  • a
  • admin
  • Admin
  • administrator
  • Administrator
  • billgates
  • computer
  • host
  • internet
  • login
  • microsoft
  • q
  • radmin
  • skynet
  • User
  • user
Passwords:
  • 0987654321
  • 11111111
  • 121212
  • 12121212
  • 123123
  • 1234
  • 12341234
  • 12345678
  • 123456789
  • 1234567890
  • 1q2w3e
  • 1q2w3e4r
  • 1q2w3e4r5t
  • 654321
  • 87654321
  • a
  • aaaaaa
  • aaaaaaaa
  • aerial
  • aerodynamics
  • aeroplane
  • alien
  • altera
  • altitude
  • america
  • american
  • anchorite
  • annihilation
  • archer
  • asdfghjk
  • asdfghjkl
  • atmel
  • atmosphere
  • atomic
  • backward
  • battle
  • bender
  • boeing
  • brentcorrigan
  • brutal
  • bullshit
  • burning
  • callofduty
  • cannon
  • cdrom
  • children
  • coolface
  • copyleft
  • copyright
  • creative
  • creator
  • darthvader
  • deathcore
  • deathstar
  • debian
  • deltaplane
  • destroy
  • desu
  • disable
  • display
  • domination
  • doomsday
  • elephant
  • elimination
  • emoboy
  • emokid
  • emperor
  • enable
  • enigma
  • europe
  • evangellion
  • fallout
  • fighter
  • folder
  • forward
  • freedom
  • fuckyou
  • godzilla
  • google
  • gothic
  • grinder
  • guitar
  • happiness
  • happy
  • hardcore
  • harddisk
  • helicopter
  • hell
  • hippie
  • hitler
  • horishima
  • horizon
  • ignore
  • imageboard
  • income
  • incoming
  • insane
  • israel
  • jesus
  • jetpack
  • kamikaze
  • keyboard
  • kiss
  • kremlin
  • latitude
  • lineage2
  • longtitude
  • lucifer
  • lurkmore
  • machine
  • memory
  • metall
  • microchip
  • minigun
  • missile
  • monkey
  • motorbike
  • mouse
  • mozilla
  • music
  • negative
  • nekoboy
  • nigger
  • nuclear
  • oracle
  • overmind
  • password
  • people
  • pilotage
  • police
  • positive
  • predator
  • pretty
  • processor
  • propeller
  • prototype
  • q
  • qazwsx
  • qazwsxedc
  • qqqqqq
  • qqqqqqqq
  • qweasd
  • qweasdzxc
  • qwerty
  • qwertyui
  • qwertyuiop
  • rastaman
  • reactor
  • receiver
  • revolution
  • rocketman
  • router
  • samael
  • satan
  • sattelite
  • scientology
  • secret
  • secure
  • shadow
  • shcool
  • skywalker
  • smoking
  • solder
  • speaker
  • stalin
  • starcraft
  • stinger
  • sunlight
  • superman
  • supply
  • suxxxx
  • terminator
  • thieft
  • thread
  • thunderbird
  • tolerance
  • topsecret
  • tranciever
  • transmitter
  • trollface
  • ubuntu
  • unknown
  • username
  • utorrent
  • war
  • warcraft
  • warhammer
  • washington
  • whitehouse
  • windows
  • wireless
  • xlinx
  • youandme
  • youtube
  • zeitgeist




Analysis by Daniel Chipiristeanu

Last update 07 February 2013

 

TOP

Malware :

Family: