Backdoor.IRCBot.AAWX

Alias:	Exploit.Win32.MS06040!IK, Win32/IRCBot.worm.variant, Backdoor/Win32.IRCBot, W32/Threat-HLLIYE!Eldorado, Backdoor.IRCBot.idc, Win32/IRCBot.KU, Exploit.Win32.MS06040, Exploit:Win32/MS06040.gen, Win32/Hatob.E, W32/Smalltroj.MTNE, Backdoor/W32.IRCBot.140430
Length:	140.430 bytes
Date of appearance/update:	2009 March
Category:	Backdoor
Virus database:	Virus database v10.102.24

Incidence:

Medium

More informations:

After activation, the malware copies itself using the name C:\Fonts\unwise_.exe , then, as a new process, it passes control over to unwise_.exe , and deletes itself. It creates a separate thread, and then it allows itself in the firewall settings. Then it intents to communicate with one of the following servers using port 3308 (MySQL port):

ns.yumetairiku.co.jp
virtual-mgsf.nebula.fi
dell.aurius.sk
cx10man.weedns.com
cx10man.weedns.com
cx10man.weedns.com
fx010413.whyI.org
gynoman.weedns.com
c010x1.co.cc
commgr.co.cc
g.0x20.biz
telephone.dd.blueline.be
cx10man.weedns.com
cx10man.weedns.com
fx010413.whyI.org
gynoman.weedns.com

The malware exploits the buffer overflow of the Microsoft Windows Server service (MS06-04, KB921883).

It works on the following platforms:

Windows 2000
Windows 2000 SP4
Windows XP
Windows XP SP0 - SP2
Windows 2003
Windows 2003 SP0 - SP1

MD5 checksum value of the file: 70EC5C4B3FF662232EACB0192FAE42AC
SHA-1 checksum value of the file: 043DC9A684CA86060D481EEB4819AD58E252A876
Packer: unknown

While running, it creates the following registry entries:

HKLM\System\CurrentControlSet\Services\Windows Hosts Controller\ImagePath="C:\WINDOWS\Fonts\unwise_.exe"""""
HKLM\SOFTWARE\Microsoft\Cryptography\RNG=0x2
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed=DA 57 54 C0 FC FB C8 30 ...
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings=0x2001F
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders=0x2000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders=0x2000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache=C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory=C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths=0x4
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1\CachePath=C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2\CachePath=C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3\CachePath=C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4\CachePath=C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1\CacheLimit=0x5FDA
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2\CacheLimit=0x5FDA
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3\CacheLimit=0x5FDA
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4\CacheLimit=0x5FDA
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders=0x2000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders=0x2000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies=C:\Documents and Settings\LocalService\Cookies
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders=0x2000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders=0x2000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History=C:\Documents and Settings\LocalService\Local Settings\History
HKCR=0x2000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass=0x1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName=0x1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet=0x1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass=0x1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName=0x1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet=0x1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters=0x20019
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders=0x2000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders=0x2000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Fonts=C:\WINDOWS\Fonts
HKLM\SOFTWARE\Microsoft\Cryptography\RNG=0x2
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed=E2 8E 87 98 81 48 5D 0E ...
HKLM\SOFTWARE\Microsoft\Cryptography\RNG=0x2
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed=78 78 90 44 D1 5F 91 98 ...
HKLM\SOFTWARE\Microsoft\Cryptography\RNG=0x2
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed=62 35 32 FE F4 60 2A 01 ...
HKLM\SOFTWARE\Microsoft\Cryptography\RNG=0x2
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed=94 92 E5 C1 D7 A1 1A DB ...
HKLM\SOFTWARE\Microsoft\Cryptography\RNG=0x2
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed=4E 73 91 E6 A2 C3 EB 47 ...
HKLM\SOFTWARE\Microsoft\Cryptography\RNG=0x2
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed=19 56 57 64 AC E3 1B C6 ...
HKLM\SOFTWARE\Microsoft\Cryptography\RNG=0x2
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed=1B BF 2D 80 91 57 2D 19 ...
HKLM\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\msgone=
HKLM\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions=0x20006
HKLM\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\intime=09/28/2009, 12:35 AM
HKLM\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions=0x20006
HKLM\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\reup=0x39
HKLM\SYSTEM\CurrentControlSet\Control=0x20006
HKLM\SYSTEM\CurrentControlSet\Control\WaitToKillServiceT=5000
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort=0xFFFE
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay=0x1E
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\StrictTimeWaitSeqCheck=0x1
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Tcp1323Opts=0x1
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\GlobalMaxTcpWindowSize=0x3EBC0
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpWindowSize=0x3EBC0
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery=0x1
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUBHDetect=0x0
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SackOpts=0x1
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL=0x40
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDupAcks=0x2
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\LargeBufferSize=0xC8000
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\AllowUserRawAccess=0x1
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpNumConnections=0xFFFFFE
HKLM\SYSTEM\CurrentControlSet\Services\Afd\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Afd\Parameters\DisableRawSecurity=0x1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings=0x20006
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server=0xFFFE
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings=0x20006
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer=0xFFFE
HKLM\SYSTEM\CurrentControlSet\Control\Lsa=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=0x1
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SizReqBuf=0x4000
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate=0x20006
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection=0x20006
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection\SFCDisable=0xFFFFFF9D
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2=0x1
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection=0x20006
HKLM\Software\Microsoft\OLE=0x20006
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection\SFCScan=0x0
HKLM\Software\Microsoft\OLE\EnableDCOM=N
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer=0x1
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks=0x1
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\TransportBindName=\Device\
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile=0x20006
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall=0x0
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile=0x20006
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions=0x0
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile=0x20006
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications=0x1
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile=0x20006
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall=0x0
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile=0x20006
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions=0x0
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile=0x20006
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications=0x1
HKLM\SOFTWARE\Microsoft\Security Center=0x20006
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify=0x1
HKLM\SOFTWARE\Microsoft\Security Center=0x20006
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride=0x1
HKLM\SOFTWARE\Microsoft\Security Center=0x20006
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify=0x1
HKLM\SOFTWARE\Microsoft\Security Center=0x20006
HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride=0x1
HKLM\SOFTWARE\Policies\Microsoft\MRT=0x20006
HKLM\SOFTWARE\Policies\Microsoft\MRT\DontReportInfectionInformation=0x1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\unwise_.exe=unwise_.exe:*:Enabled:SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\unwise_.exe=unwise_.exe:*:Enabled:SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters=0x20006
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpNumConnections=0xFFFFFE
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters=0x20019
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters=0x20019
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters=0x20019
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer=0x2000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo=0x2000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\00000000000003e7=0x1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters=0x20019
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters=0x20019
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters=0x20019
HKLM\Software\Microsoft\Tracing=0xF003F
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C=0x2000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\BaseClass=Drive
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D=0x2000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\BaseClass=Drive
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections=0x1
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings=0x20006
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0x0
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyServer=
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyOverride=
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\AutoConfigURL=
HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings=0x2
HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0x0
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections=0x1
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections=0x2
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings=3C 00 00 00 05 00 00 00 ...
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\netsh.exe=Network Command Shell
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\00000000000003e7=0x1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\00000000000003e7=0x1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\00000000000003e7=0x1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\00000000000003e7=0x1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\00000000000003e7=0x1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\00000000000003e7=0x1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Fonts\unwise_.exe=C:\WINDOWS\Fonts\unwise_.exe:*:Enabled:workstation
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Fonts\unwise_.exe=
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Fonts\unwise_.exe=C:\WINDOWS\Fonts\unwise_.exe:*:Enabled:workstation

Languages

Viruslab

Backdoor.IRCBot.AAWX

Further informations

Details