Backdoor.VanBot.BBX

Alias:	Backdoor.Win32.VanBot.bdt, W32/Nirbot.worm!a, Win32/DelfInject.gen!AW, Win32/Poebot.NBF, BKDR_VANBOT.RG
Length:	94,208 bytes
Date of appearance/update:	2009 August
Category:	Trojan

There is no further information available.

Upon execution, this memory-resident malware copy itself to Windows System folder using one of the following filenames, which are almost similar to some legit Windows system files:
- Isass.exe
- lssas.exe
- spooIsv.exe
- winamp.exe
- algs.exe
- csrs.exe
- iexplore.exe

It also adds a file in the Application Data folder:
- %AppData%\bcrypt.html

%AppData% refers to the file system directory Application Data. Its common folder path is C:\Documents and Settings\[UserName]\Application Data

It creates a registry entry that will ensure its automatic execution every start up. It can be any of the following:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- Local Security Authority Service = %System%\Isass.exe
- Local Security Authority Service = %System%\lssas.exe
- Spooler SubSystem App = %System%\spooIsv.exe
- Winamp Agent = %System%\winamp.exe
- Application Layer Gateway Service = %System%\algs.exe
- Client Server Runtime Process = %System%\csrs.exe
- Microsoft Internet Explorer = %System%\iexplore.exe

%System% refers to the Windows System folder. It can be C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP) by default.

It also adds these registry entries:

[HKCU\Software\bcrypt]
- null
[HKCU\Software\bcrypt]
- i = 0x000007D9

This malware can compromise the system by scanning for open ports and connecting to unspecified IRC server and allow remote access. The commands it can receive from remote users can be any of the following:
- Download and upload files
- Sniff network packets
- Gathers login information & cached passwords, specifically for Flash FXP, Internet Explorer, MSN, and Outlook Express

Gathers network information such as:
- hostname
- type
- IPv6
- latency
- firewall
- speed

Gathers the following system information:
- CPU speed
- Free disk space
- Free memory
- Computer name
- User

It can propagate by copying itself on shared network drives by using its list of weak user names and passwords and by exploiting known Windows vulnerabilities.

It also checks for the presence of its list of interesting processes:

- Visual C++ 6
- UnrealIRCD
- Steam:
- World Of Warcraft
- Conquer Online

Viruslab

Backdoor.VanBot.BBX

Further informations

Details