Home / malwarePDF  

Worm:Win32/Mybandok.A


First posted on 07 March 2009.
Source: SecurityHome

Aliases :

Worm:Win32/Mybandok.A is also known as Also Known As:Win32/Naigord.A (CA), Trojan-Downlaoder.Win32.Injecter.qa (Kaspersky), BackDoor-CEP (McAfee), :Bck/Bandok.BT (Panda), Mal/Basine-C (Sophos), W32/Saros@mm (Symantec), Backdoor.Bandok.GT (VirusBuster), VirTool:Win32/DelfInject.gen!I (other).

Explanation :

Worm:Win32/Mybandok.A is a worm that spreads via e-mail. It has backdoor functionalities and attempts to download files from certain Web sites.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following file:
    <system folder>ali.exe
  • The presence of the following registry modifications:
    Added value: "andk"
    With data: "<system folder>ali.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun

    Added value: "*andk"
    With data: "<system folder>ali.exe"
    To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce


    • Worm:Win32/Mybandok.A is a worm that spreads via e-mail. It has backdoor functionalities and attempts to download files from certain Web sites.

    Installation
    Upon execution, Worm:Win32/Mybandok.A drops the following files:
  • <system folder>ali.exe - copy of this worm
  • %temp%message - garbage file that this worm opens in Notepad when it is run
    • Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It then modifies the system registry so that its dropped copy runs every time Windows starts: Adds value: "andk"
    With data: "<system folder>ali.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "*andk"
    With data: "<system folder>ali.exe"
    To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce It also creates the following registry entries as part of its installation routine: Adds value: "remove"
    With data: "an"
    To subkey: HKCUSoftwareMicrosoft Adds value: "ofk"
    With data: "1"
    Adds value: "bnhide"
    With data: "1724|ali.exe|andk|443|x|"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersion It creates the following mutexes:
  • sexage2007
  • onepointthreefour
    • Spreads Via...E-mail MessagesWorm:Win32/Mybandok.A spreads by attaching a copy of itself in e-mail messages that it sends out. It looks for e-mail addresses in files with the following extensions: adb
    asp
    aspx
    dbx
    htm
    html
    php
    pl
    sht
    tbb
    txt
    wab It avoids sending e-mails to addresses containing the following strings in the user field: accoun
    admin
    anyone
    bsd
    bugs
    ca
    certific
    contact
    feste
    gold-certs
    help
    icrosoft
    info
    linux
    listserv
    me
    no
    nobody
    noone
    not
    nothing
    ntivi
    page
    postmaster
    privacy
    rating
    root
    samples
    security
    service
    site
    soft
    somebody
    someone
    submit
    support
    the.bat
    unix
    webmaster
    you
    your It also avoids sending e-mails to addresses containing the following strings in the domain field: .gov
    .mil
    acd-group
    acdnet.com
    acdsystems.com
    acketst
    alcatel-lucent.com
    apache
    arin.
    avp
    berkeley
    bluewin.ch
    borlan
    bpsoft.com
    bsd
    buyrar.com
    debian
    example
    fido
    firefox
    fsf.
    ghisler.com
    gimp
    gnu
    gov.
    honey
    iana
    ibm.com
    icrosof
    idefense
    ietf
    inpris
    isc.o
    isi.e
    jgsoft
    kernel
    lavasoft
    linux
    math
    messagelabs
    mit.e
    mozilla
    msn.
    mydomai
    nodomai
    panda
    pgp
    qualys
    quebecor.com
    redhat
    rfc-ed
    ruslis
    secur
    secure
    security
    sendmail
    slashdot
    sopho
    sourceforge
    sun.com
    support
    suse
    syma
    tanford.e
    unix
    usenet
    utgers.ed
    wireshark The attachment containing the worm copy is usually named 'postcard.zip'. The executable inside the archive has one of the following file names:
    postcard.bat
    postcard.exe
    postcard.pif
    postcard.scr

    Payload
    Backdoor FunctionalityWorm:Win32/Mybandok.A is capable of performing backdoor routines depending on commands from a remote attacker. Some of the actions it is capable of doing are the following:
  • List/start/stop system services, processes, and modules
  • Spawn a remote shell
  • Log keystrokes/clipboard data
  • Search and upload files
  • Start an http/ftp server
  • Get system registry/device/hardware information
    • It runs a hidden copy of Internet Explorer and injects code into it to connect to the following Web sites, possibly to listen for remote commands and send information to:
  • qualys.serveblog.net
  • qualys.thruhere.net
  • qualysguard.org
    • Downloads FilesWorm:Win32/Mybandok.A checks Internet connectivity by connecting to 'google.com'. It tries to download the following files from certain Web sites:
  • sex.com/hookdll.dll - saved as '%windir%hookpl.dll'
  • love.com/ban.php - saved as '<system drive>xxx.html'


    • Analysis by Jireh Sanico

    Last update 07 March 2009

     

    TOP

    Malware :

    Family: