SecurityHome.eu Worm:Win32/Slenfbot

Home / malware PDF

Worm:Win32/Slenfbot

First posted on 27 March 2009.
Source: SecurityHome
Aliases :
There are no other names known for Worm:Win32/Slenfbot.
Explanation :
Worm:Win32/Slenfbot is a worm that can spread via MSN Messenger, and may spread via removable drives. This worm spreads automatically via shares, but must be ordered to spread via messenger by a remote attacker. The worm also contains backdoor functionality that allows unauthorized access to an affected machine.

Symptoms
There are no specific symptoms that indicate the presence of Worm:Win32/Slenfbot as this is a generic detection and symptoms may vary from one instance of infection to the next.

Worm:Win32/Slenfbot is a worm that can spread via MSN Messenger, and may spread via removable drives. This worm spreads automatically via shares, but must be ordered to spread via messenger by a remote attacker. The worm also contains backdoor functionality that allows unauthorized access to an affected machine.

Installation
When executed, Worm:Win32/Slenfbot copies itself to the <system folder> with a filename that differs according to variant and sets the attributes for this copy to read only, hidden and system. It modifies the registry to run this copy at each Windows start. For example, Worm:Win32/Slenfbot.A copies itself to <system folder>
vsvc64.exe and makes the following modification to the registry: Adds value: "nVidia Display Driver"
With data: "nvsvc64.exe"
To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. The worm makes a further registry modification that causes the copy of the worm that was executed originally to be deleted when the system restarts: Sets value: "PendingFileRenameOperations"
With data: "<original malware executable>"
Under key: HKLMSystemCurrentControlSetControlSession Manager However, it also runs "cmd.exe /c del <original malware executable> nul" to immediately delete the original copy of the worm.When first run, the worm checks if Messenger is running by looking for a Window with the class name "MSBLWindowClass". If it finds this window, it displays the following fake error message:Spreads Via…MSN MessengerThis worm can be ordered to spread via Messenger by a remote attacker using the worm's backdoor functionality (see Payload below for additional detail). When the attacker orders the worm to spread via MSN Messenger, they must provide the following three parameters:
A URL containing a list of possible messages to send, along with the worm itself, to MSN Messenger contacts. The worm chooses from this list at random.
A file name for a ZIP archive. The worm creates a ZIP archive containing a copy of itself in the temporary folder with this name. The worm sends this ZIP archive to MSN Messenger contacts.
A file name for the worm's executable inside the ZIP archive.
Removable Drives
Worm:Win32/Slenfbot may attempt to spread via removable drives, except drives A and B. It does this by creating a directory called RECYCLER in the root of the removable drive. In then creates another directory underneath that with a name such as S-1-6-21-1257894210-1075856346-012573477-2315. The worm copies itself into this directory, with a file name such as “folderopen.exe”. For example: E:RECYCLERS-1-6-21-1257894210-1075856346-012573477-2315folderopen.exe The worm also creates an autorun.inf file in the root directory of the drive in order to launch the worm if, for example, the drive is connected to another machine. The worm sets the hidden and system attributes for all of the aforementioned directories and files. Note: Due to a bug, Slenfbot may only create one directory rather than two, such as: E:RECYCLERS-1-6-21-1257894210-1075856346-012573477-2315folderopen.exe

Payload
Backdoor FunctionalitySlenfbot attempts to connect to a particular IRC server via a particular TCP Port. The channel and port number differ according to variant. It joins a channel and waits for commands. Using this backdoor, an attacker can perform the following actions on an affected machine:
remove itself
join another IRC channel
download and execute arbitrary files
spread via MSN Messenger
send arbitrary files via MSN Messenger
When the attacker orders the worm to send an arbitrary file via MSN Messenger, they must provide all of the parameters used when spreading vis Messenger, plus a fourth:
A URL for a file to download. The worm places this file in the ZIP archive, which it sends to MSN Messenger contacts, in place of itself.
Modifies Hosts FileSlenfbot replaces <system folder>driversetchosts with a file that contains the following: # Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
# This text is followed by 90 blank lines, presumably to make the file appear empty on casual inspection. After the blank lines it writes several entries to direct the following anti-virus and security related domains to localhost (127.0.0.1): bbs.360safe.com
blog.hispasec.com
blog.threatfire.com
customer.symantec.com
discussions.virtualdr.com
download.mcafee.com
file.ikaka.com
forum.piriform.com
forum.securitycadets.com
forum.tweaks.com
forums.techguy.org
guru0.grisoft.cz
guru1.grisoft.cz
guru2.grisoft.cz
guru3.grisoft.cz
guru4.grisoft.cz
guru5.grisoft.cz
hjt-data.trend-braintree.com
hjt.networktechs.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
scanner.virus.org
secubox.aldria.com
securityresponse.symantec.com
update.symantec.com
updates.symantec.com
virscan.org
www.2-spyware.com
www.360.cn
www.analysis.seclab.tuwien.ac.at
www.antivir.es
www.antivirus.about.com
www.antivirus.comodo.com
www.auditmypc.com
www.avast.com
www.avg-antivirus.net
www.avira.com
www.avp.com
www.bitdefender.com
www.bleedingthreats.net
www.bleepingcomputer.com
www.ca.com
www.castlecops.com
www.clamav.net
www.clamwin.com
www.computing.net
www.csrrt.org
www.cwsandbox.org
www.daniweb.com
www.download.f-secure.com
www.eradicatespyware.net
www.eset.com
www.experts-exchange.com
www.f-prot.com
www.f-secure.com
www.firewallguide.com
www.forospyware.com
www.fortiguardcenter.com
www.fortinet.com
www.forums.majorgeeks.com
www.free-av.com
www.free.avg.com
www.free.grisoft.com
www.freespywareremoval.info
www.futurenow.bitdefender.com
www.geekstogo.com
www.grisoft.com
www.hijackthis.de
www.housecall.trendmicro.com
www.ikarus.net
www.infosecpodcast.com
www.kaspersky-labs.com
www.kaspersky.com
www.majorgeeks.com
www.mcafee.com
www.Merijn.org
www.net-security.org
www.networkworld.com
www.norman.com
www.offensivecomputing.net
www.onlinescan.avast.com
www.pandasecurity.com
www.pantip.com
www.pchell.com
www.pctools.com
www.prevx.com
www.research.sunbelt-software.com
www.safer-networking.org
www.sandboxie.com
www.siteadvisor.com
www.soccersuck.com
www.sophos.com
www.spyany.com
www.spybot.info
www.spywaredb.com
www.spywareinfo.com
www.spywareterminator.com
www.symantec.com
www.techimo.com
www.techspot.com
www.techsupportforum.com
www.thecomputerpitstop.com
www.threatexpert.com
www.trendmicro.com
www.trendsecure.com
www.tweaksforgeeks.com
www.viruschief.com
www.virusinfo.prevx.com
www.viruslist.com
www.virusspy.com
www.virustotal.com
www.webphand.com
www.whatthetech.com
www.wilderssecurity.com
zhidao.baidu.com Deletes FilesWhen first executed, Slenfbot runs the following commands:
CMD /C del /F /S /Q *.zip
CMD /C del /F /S /Q *.com
CMD /C del /F /S /Q "%HOMEPATH%My DocumentsMy Recieved Files*.zip
CMD /C del /F /S /Q "%HOMEPATH%My DocumentsMy Recieved Files*.com These commands will delete files names named *.zip and *.com in the current directory and the user's "Received Files" directory, the location where Windows Messenger, by default, stores files it downloads. The intention of this is obviously to delete the original copy of the worm that was received via Messenger.Modifies System Settings
Slenfbot deletes the following registry keys (and any subkeys and values they contain):
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork It also makes the following registry modifications:
Sets value: "Disabletaskmgr"
With data: "1"
Under key HKCUSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem

Sets value: "DisableSR"
With data: "1"
Under key HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSystemRestore

Sets value: "DisableConfig"
With data: "1"
Under key HKLMSOFTWAREPoliciesMicrosoftWindows NTSystemRestore Sets value: "Disableregistrytools"
With data: "1"
Under key HKCUSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem

Sets value: "NoClose"
With data:"1"
Under key HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer

Sets value: "Start"
With data: "4"
Under key HKLMSYSTEMCurrentControlSetServiceswscsvc Terminates Processes
Slenfbot may terminate the following processes on an affected machine:
123.COM
123.EXE
360HOTFIX.EXE
360RPT.EXE
360SAFE.EXE
360TRAY.EXE
A2HIJACKFREESETUP.EXE
ACAAS.EXE
ACAEGMGR.EXE
ACAIS.EXE
ACALS.EXE
AFMAIN.EXE
AHNSDSV.EXE
ALERTMAN.EXE
ALMON.EXE
ALSVC.EXE
APM.EXE
APORTS.EXE
APT.EXE
ASHMAISV.EXE
ASHSERV.EXE
ASHWEBSV.EXE
ASVIEWER.EXE
ASWCLNR.EXE
ASWUPDSV.EXE
AUTORUNS.EXE
AVENGER.EXE
AVGARKT.EXE
AVGSCANX.EXE
AVGUARD.EXE
AVGUI.EXE
AVGUPD.EXE
AVGWDSVC.EXE
AVIRARKD.EXE
BC5CA6A.EXE
BDAGENT.EXE
BDSS.EXE
BOXMOD.EXE
CATCHME.EXE
CCENTER.EXE
CF9409.EXE
COMBOFIX.EXE
CPORTS.EXE
CPROCESS.EXE
DARKSPY105.EXE
DELAYDELFILE.EXE
DLLCOMPARE.EXE
DRWEB32W.EXE
DRWEBSCD.EXE
DUBATOOL_AV_KILLER.EXE
EULALYZERSETUP.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FAMEH32.EXE
FAST.EXE
FCH32.EXE
FIH32.EXE
FILEALYZ.EXE
FILEFIND.EXE
FIXPATH.EXE
FNRB32.EXE
FOLDERCURE.EXE
FP-WIN.EXE
FPORT.EXE
FPROT.EXE
FSAA.EXE
FSAV.EXE
FSAV32.EXE
FSAV530STBYB.EXE
FSAV530WTBYB.EXE
FSAV95.EXE
FSB.EXE
FSBL.EXE
FSGK32.EXE
FSM32.EXE
FSMA32.EXE
FSMB32.EXE
GMER.EXE
HACKMON.EXE
HELIOS.EXE
HIJACKTHIS.EXE
HOOKANLZ.EXE
HOSTSFILEREADER.EXE
ICESWORD.EXE
IEFIX.EXE
INSTALLWATCHPRO25.EXE
KAKASETUPV6.EXE
KAV.EXE
KAVSVC.EXE
KILLAUTOPLUS.EXE
KILLBOX.EXE
LIVESRV.EXE
LORDPE.EXE
MAKEREPORT.EXE
MCAGENT.EXE
MCSHIELD.EXE
MCUPDATE.EXE
MCVSRTE.EXE
MCVSSHLD.EXE
MSASCUI.EXE
MSCONFIG.EXE
MSMPENG.EXE
MSNFIX.EXE
MYPHOTOKILLER.EXE
NETALYZ.EXE
NETSTAT.EXE
NMAIN.EXE
NOD32.EXE
NOD32CC.EXE
NOD32KRN.EXE
NOD32KUI.EXE
NOD32M2.EXE
OBJMONSETUP.EXE
OLLYDBG.EXE
PAVARK.EXE
PCTSAUXS.EXE
PCTSGUI.EXE
PCTSSVC.EXE
PCTSTRAY.EXE
PG2.EXE
PGSETUP.EXE
PORTDETECTIVE.EXE
PORTMONITOR.EXE
PROCDUMP.EXE
PROCESSMONITOR.EXE
PROCEXP.EXE
PROCMON.EXE
PROJECTWHOISINSTALLER.EXE
PSKILL.EXE
RAV.EXE
RAVLITE.EXE
RAVMOND.EXE
RAVTASK.EXE
REANIMATOR.EXE
REG.EXE
REGALYZ.EXE
REGCOOL.EXE
REGEDIT.EXE
REGISTRAR_LITE.EXE
REGSCANNER.EXE
REGSHOT.EXE
REGX2.EXE
RKD.EXE
ROOTALYZER.EXE
ROOTKITBUSTER.EXE
ROOTKITNO.EXE
ROOTKITREVEALER.EXE
ROOTKIT_DETECTIVE.EXE
RTVSCAN.EXE
SAVADMINSERVICE.EXE
SAVSERVICE.EXE
SCFMANAGER.EXE
SCFSERVICE.EXE
SCHED.EXE
SDFIX.EXE
SEEM.EXE
SPF.EXE
SPIDERML.EXE
SPIDERNT.EXE
SPIDERUI.EXE
SPYBOTSD.EXE
SPYBOTSD160.EXE
SRENGLDR.EXE
SRENGPS.EXE
STARTDRECK.EXE
SUPERKILLER.EXE
SYSANALYZER_SETUP.EXE
TASKKILL.EXE
TASKLIST.EXE
TASKMAN.EXE
TASKMGR.EXE
TASKMON.EXE
TCPVIEW.EXE
TEATIMER.EXE
UISCAN.EXE
ULIBCFG.EXE
UNHACKME.EXE
UNIEXTRACT.EXE
UNLOCKER1.8.7.EXE
VSMON.EXE
VSSERV.EXE
WIRESHARK.EXE
WITSETUP.EXE
XCOMMSVR.EXE
ZLCLIENT.EXE Uses StealthSlenfbot is also capable of hiding its process from task manager.Additional InformationSlenfbot variants create a mutex that also differs according to variant. For example, Worm:Win32/Slenfbot.A creates the mutex "I3.1".

Analysis by Hamish O'Dea
Last update 27 March 2009

TOP

Malware :

Last 20