Viruslab » Virus news » Backdoor.VanBot.MH

Backdoor.VanBot.MH

Length: 71.680 bájt
Date of appearance/update: 2008 November
Category: Backdoor
Virus database: Virus database v10.90.27


Incidence: High
More informations:

Upon execution, this memory-resident malware copy itself into the Windows System folder using one of the following names, which are similar to some legit Windows system files names:

  • Isass.exe
  • lssas.exe
  • winIogon.exe
  • logon.exe
  • spooIsv.exe
  • spoolsvc.exe
  • firewall.exe
  • explorer.exe
  • iexplore.exe

It creates a registry entry that will ensure its automatic execution upon every start-up:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

using any of these values:

  • Local Security Authority Service = %System%\Isass.exe   
  • Local Security Authority Service = %System%\lssas.exe   
  • Windows Logon Application = %System%\winIogon.exe
  • Windows Logon Application = %System%\logon.exe
  • Spooler SubSystem App = %System%\spooIsv.exe 
  • Spooler SubSystem App = %System%\spoolsvc.exe 
  • Windows Network Firewall = %System%\firewall.exe
  • Windows Explorer = %System%\explorer.exe
  • Microsoft Internet Explorer = %System%\iexplore.exe                

Above, %System% refers to the Windows System folder. It can be C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP) by default.

This malware can compromise the system by scanning for open ports to connect to an unspecified IRC server and allow remote access. The commands it can receive from remote users can be any of the following:

  • Download and upload files
  • Sniff network packets
  • Gather login information and cached passwords (specifically for Flash FXP, Internet Explorer, MSN and Outlook Express)

Gather network information such as:

  • hostname
  • type
  • IPv6
  • latency
  • firewall
  • speed

Gather the following system information:

  • Operating System
  • CPU speed
  • Free disk space
  • Free memory
  • Uptime
  • Computer name
  • User

It can propagate by copying itself on shared network drives by using its list of weak user names and passwords and by exploiting known Windows vulnerabilities.

It also checks for the presence of its list of interesting processes:

  • Visual C++ 6
  • UnrealIRCD
  • Steam
  • World Of Warcraft
  • Conquer Online