Home / malware Worm:Win32/Zombaque.A
First posted on 07 February 2013.
Source: MicrosoftAliases :
Worm:Win32/Zombaque.A is also known as Worm/Win32.Zombaque (AhnLab), W32/Zombaque.A (Norman), Worm/Zombaque.A (Avira), Win32/Zombaque.A worm (ESET), Worm.Win32.Zombaque (Ikarus), W32/Zombaque.gen.a (McAfee), W32/Zombaque-A (Sophos), WORM_BIZOME.SMD (Trend Micro).
Explanation :
Installation
The worm may arrive on your computer as "ipz.tmp". It is moved to the folder "%systemroot%\system32" and is renamed as "ipz.exe".
Note: %SystemRoot% refers to a variable location that is determined by the malware by querying the operating system. The default location for the SystemRoot folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Windows".
It creates the following registry entries so that it automatically runs as a service:
In subkey: HKLM\System\CurrentControlSet\Services\ipz
Sets value: "DisplayName"
With data: "Intelligent p2p zombie"
It uses the service name "IPZ".
Spreads via...
Radmin program
Worm:Win32/Zombaque.A checks if other computers in the network have TCP port 4899 open, which may indicate that these are accessible using Radmin. It tries to connect to these computers using a combination of certain user names and passwords, and copies itself to these computers if it successfully connects.
The worm uses a number of user names and passwords in its attempt to gain access to the computers using Radmin; please see the Additional information section below for a list of user names and passwords it uses.
It drops a copy of itself in these accessible computers as "ipz.tmp", which, similar to its Installation method, is moved and renamed and run as a service.
Payload
Joins a botnet
Worm:Win32/Zombaque.A turns your computer into a node in a botnet, which is composed of other computers also infected with Worm:Win32/Zombaque.A. It communicates with these computers through TCP port 310 to perform commands sent by a remote attacker. A remote attacker may choose to do any of the following:
Additional information
- Download and run arbitrary files
- Upload data taken from an infected computer
This worm has the following command line options:
- --install - installs this worm and creates a service named "IPZ"
- --remove - removes this worm and deletes the service
- --log - logs events that happen on the computer
- --service - runs the worm payload
The following are some examples of user names and passwords the worm uses to gain access to other computers:
Usernames:
- 1
- 111111
- 123
- 123456
- a
- admin
- Admin
- administrator
- Administrator
- billgates
Passwords:
- computer
- host
- internet
- login
- microsoft
- q
- radmin
- skynet
- User
- user
- 0987654321
- 11111111
- 121212
- 12121212
- 123123
- 1234
- 12341234
- 12345678
- 123456789
- 1234567890
- 1q2w3e
- 1q2w3e4r
- 1q2w3e4r5t
- 654321
- 87654321
- a
- aaaaaa
- aaaaaaaa
- aerial
- aerodynamics
- aeroplane
- alien
- altera
- altitude
- america
- american
- anchorite
- annihilation
- archer
- asdfghjk
- asdfghjkl
- atmel
- atmosphere
- atomic
- backward
- battle
- bender
- boeing
- brentcorrigan
- brutal
- bullshit
- burning
- callofduty
- cannon
- cdrom
- children
- coolface
- copyleft
- copyright
- creative
- creator
- darthvader
- deathcore
- deathstar
- debian
- deltaplane
- destroy
- desu
- disable
- display
- domination
- doomsday
- elephant
- elimination
- emoboy
- emokid
- emperor
- enable
- enigma
- europe
- evangellion
- fallout
- fighter
- folder
- forward
- freedom
- fuckyou
- godzilla
- gothic
- grinder
- guitar
- happiness
- happy
- hardcore
- harddisk
- helicopter
- hell
- hippie
- hitler
- horishima
- horizon
- ignore
- imageboard
- income
- incoming
- insane
- israel
- jesus
- jetpack
- kamikaze
- keyboard
- kiss
- kremlin
- latitude
- lineage2
- longtitude
- lucifer
- lurkmore
- machine
- memory
- metall
- microchip
- minigun
- missile
- monkey
- motorbike
- mouse
- mozilla
- music
- negative
- nekoboy
- nigger
- nuclear
- oracle
- overmind
- password
- people
- pilotage
- police
- positive
- predator
- pretty
- processor
- propeller
- prototype
- q
- qazwsx
- qazwsxedc
- qqqqqq
- qqqqqqqq
- qweasd
- qweasdzxc
- qwerty
- qwertyui
- qwertyuiop
- rastaman
- reactor
- receiver
- revolution
- rocketman
- router
- samael
- satan
- sattelite
- scientology
- secret
- secure
- shadow
- shcool
- skywalker
- smoking
- solder
- speaker
- stalin
- starcraft
- stinger
- sunlight
- superman
- supply
- suxxxx
- terminator
- thieft
- thread
- thunderbird
- tolerance
- topsecret
- tranciever
- transmitter
- trollface
- ubuntu
- unknown
- username
- utorrent
- war
- warcraft
- warhammer
- washington
- whitehouse
- windows
- wireless
- xlinx
- youandme
- youtube
- zeitgeist
Analysis by Daniel Chipiristeanu
Last update 07 February 2013