Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: NT botnet submitted - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
NT botnet submitted
We received copies of malware that are being discussed in public forums, it appears to be (variants of) known botnets. Here's what Norman and virustotal.com had to say about them [sanitized]:

eraseme:

[ General information ]
   * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
   * Anti debug/emulation code present.
   * **Locates window "NULL [class mIRC]" on desktop.
   * File length:        86016 bytes.
   * MD5 hash: 5d8e6f1fc0d5b8e34947241d77c2311c.
[ Changes to filesystem ]
   * Creates file C:\WINDOWS\csrsc.exe.
   * Deletes file c:\sample.exe.
[ Changes to registry ]
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "MeltMe"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Creates key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "ImagePath"=""C:\WINDOWS\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "DisplayName"="Network Gateway Manager" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Deletes value "MeltMe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "Installed Time"="3/6/2006, 1:20 PM" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "WaitToKillServiceTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".
[ Network services ]
   * Looks for an Internet connection.
   * Connects to "[deleted]" on port 1863 (TCP).
   * Sends data stream (30 bytes) to remote address "[deleted]", port 1863.
   * Connects to IRC Server.
[ Process/window information ]
   * Creates service "npx (Network Gateway Manager)" as ""C:\WINDOWS\csrsc.exe"".
   * Attempts to access service "npx".
   * Creates a mutex LOLFOB.
[ Signature Scanning ]
   * C:\WINDOWS\csrsc.exe (86016 bytes) : no signature detection.    
     

Virustotal:
 AntiVir 6.35.1.11     08.31.2006 Worm/Sdbot.86016.43
 Authentium 4.93.8     08.30.2006 no virus found
 Avast 4.7.844.0       08.31.2006 no virus found
 AVG 386               08.30.2006 IRC/BackDoor.SdBot2.HLZ
 BitDefender 7.2       08.31.2006 GenPack: Generic.Sdbot.4F0C4C47
 CAT-QuickHeal 8.00    08.30.2006 no virus found
 ClamAV devel-20060426 08.31.2006 no virus found
 DrWeb 4.33            08.31.2006 Win32.HLLW.MyBot
 eTrust-InoculateIT 23.72.111 08.31.2006 no virus found
 eTrust-Vet3 0.3.3052  08.31.2006 no virus found
 Ewido 4.0             08.31.2006 Backdoor.SdBot.anp
 Fortinet 2.77.0.0     08.31.2006 W32/SDBot.AKI!worm
 F-Prot 3.16f          08.30.2006 no virus found
 F-Prot4 4.2.1.29      08.31.2006 no virus found
 Ikarus 0.2.65.0       08.31.2006 no virus found
 Kaspersky 4.0.2.24    08.31.2006 Backdoor.Win32.SdBot.anp
 McAfee 4841           08.30.2006 no virus found
 Microsoft 1.1560      08.31.2006 no virus found
 NOD32 v21.1733        08.31.2006 a variant of IRC/SdBot
 Norman 5.90.23        08.31.2006 W32/Malware
 Panda 9.0.0.4         08.30.2006 no virus found
 Sophos 4.09.0         08.31.2006 no virus found
 Symantec 8.0          08.31.2006 W32.Spybot.Worm
... 

csrsc:

Norman:
[ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
   * Anti debug/emulation code present.
   * **Locates window "NULL [class mIRC]" on desktop.
   * File length:        86016 bytes.
   * MD5 hash: 5d8e6f1fc0d5b8e34947241d77c2311c.                               

[ Changes to filesystem ]
   * Creates file C:\WINDOWS\csrsc.exe.
   * Deletes file c:\sample.exe.

[ Changes to registry ]
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "MeltMe"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Creates key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "ImagePath"=""C:\WINDOWS\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "DisplayName"="Network Gateway Manager" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Deletes value "MeltMe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "Installed Time"="3/6/2006, 1:20 PM" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "WaitToKillServiceTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".
   * Modifies value "UpdatesDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "AntiVirusDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "FirewallDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "AntiVirusOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "FirewallOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
   * Sets value "AUOptions"="^A" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
   * Creates key "HKLM\System\CurrentControlSet\Services\wscsvc".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\wscsvc".
   * Creates key "HKLM\System\CurrentControlSet\Services\TlntSvr".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\TlntSvr".
   * Creates key "HKLM\System\CurrentControlSet\Services\RemoteRegistry".
   * Creates key "HKLM\System\CurrentControlSet\Services\Messenger".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\Messenger".
   * Sets value "restrictanonymous"="^A" in key"HKLM\System\CurrentControlSet\Control\Lsa".
   * Creates key"HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Creates key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Sets value "AutoShareWks"="" in
key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Sets value "AutoShareServer"="" in
key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Creates key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
   * Sets value "DoNotAllowXPSP2"="^A" in
key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
   * Creates key "HKLM\Software\Microsoft\OLE".
   * Sets value "EnableDCOM"="N" in key "HKLM\Software\Microsoft\OLE".
   * Sets value "Record"="??^N" in
key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".

[ Network services ]
   * Looks for an Internet connection.
   * Connects to "[DELETED]" on port 1863 (TCP).
   * Sends data stream (30 bytes) to remote address "[DELETED]" port 1863.
   * Connects to IRC Server.
   * IRC: Uses nickname [XP||N|677795].
   * IRC: Uses username XP88038.
   * Opens URL: http://[DELETED]/prxjdg.cgi.
   * Opens URL: http://[DELETED]/x/maxwell/cgi-bin/prxjdg.cgi.
   * Opens URL: http://[DELETED]/mute/c/prxjdg.cgi.
   * Opens URL: http://[DELETED/tomocrus/cgi-bin/check/prxjdg.cgi.
   * Opens URL: http://[DELETED]/cgi-bin/proxy.cgi.
   * Opens URL: http://pDELETED]/little_w/prxjdg.cgi.
   * IRC: Sets the usermode for user [XP||N|677795] to .
   * IRC: Joins channel #NGEN with password [DELETED].

[ Process/window information ]
   * Creates service "npx (Network Gateway Manager)" as ""C:\WINDOWS\csrsc.exe"".
   * Attempts to access service "npx".
   * Creates a mutex LOLFOB.
   * Attempts to access service "Tlntsvr".
   * Attempts to access service "RemoteRegistry".
   * Attempts to access service "Messenger".
   * Attempts to access service "SharedAccess".
   * Attempts to access service "wscsvc".

[ Signature Scanning ]
   * C:\WINDOWS\csrsc.exe (86016 bytes) : no signature detection.


Virustotal:
 Authentium 4.93.8     08.30.2006 no virus found
Avast 4.7.844.0 08.31.2006 no virus found
AVG 386 08.30.2006 IRC/BackDoor.SdBot2.HLZ
BitDefender 7.2 08.31.2006 GenPack: Generic.Sdbot.4F0C4C47
CAT-QuickHeal 8.00 08.30.2006 no virus found
ClamAV devel-20060426 08.31.2006 no virus found
DrWeb 4.33 08.31.2006 Win32.HLLW.MyBot
eTrust-InoculateIT 23.72.111 08.31.2006 no virus found
eTrust-Vet 30.3.3052 08.31.2006 no virus found
Ewido 4.0 08.31.2006 Backdoor.SdBot.anp
Fortinet2.77.0.0    08.31.2006 W32/SDBot.AKI!worm
F-Prot 3.16f 08.30.2006 no virus found
F-Prot4 4.2.1.29 08.31.2006 no virus found
Ikarus 0.2.65.0 08.31.2006 no virus found
Kaspersky 4.0.2.24 08.31.2006 Backdoor.Win32.SdBot.anp
McAfee 4841 08.30.2006 no virus found
Microsoft 1.1560 08.31.2006 no virus found
NOD32 v21.1733 08.31.2006 a variant of IRC/SdBot
Norman 5.90.23 08.31.2006 W32/Malware
Panda 9.0.0.4 08.30.2006 no virus found
Sophos 4.09.0 08.31.2006 no virus found
Symantec 8.0 08.31.2006 W32.Spybot.Worm
TheHacker 5.9.8.202 08.31.2006 no virus found
UNA 1.83 08.31.2006 no virus found
VBA32 3.11.1 08.30.2006 Win32.HLLW.MyBot
VirusBuster 4.3.7:9 08.30.2006 no virus found

i.exe:

Virustotal:
 AntiVir 6.35.1.11     08.31.2006 Worm/Spybot.1093632
Authentium 4.93.8 08.30.2006 no virus found
Avast 4.7.844.0 08.31.2006 no virus found
AVG 386 08.30.2006 IRC/BackDoor.SdBot2.HLY
BitDefender 7.2 08.31.2006 Win32.Worm.Tilebot.GM
CAT-QuickHeal 8.00 08.30.2006 no virus found
ClamAV devel-20060426 08.31.2006 no virus found
DrWeb 4.33 08.31.2006 Win32.HLLW.MyBot
eTrust-InoculateIT 23.72.111 08.31.2006 Win32/SDBOT.AQJ!Worm
eTrust-Vet 30.3.3052  08.31.2006 Win32/Petribot.XM
Ewido 4.0 08.31.2006 Backdoor.SdBot.aqj
Fortinet 2.77.0.0 08.31.2006 W32/Tilebot.AQJ!worm
F-Prot 3.16f 08.30.2006 no virus found
F-Prot4 4.2.1.29 08.31.2006 no virus found
Ikarus 0.2.65.0 08.31.2006 Backdoor.Win32.SdBot.aqi
Kaspersky 4.0.2.24 08.31.2006 Backdoor.Win32.SdBot.aqj
McAfee 4841 08.30.2006 W32/Spybot.worm.gen.p
Microsoft 1.1560 08.31.2006 Backdoor:Win32/Rbot!02A6
NOD32 v21.1733 08.31.2006 IRC/SdBot
Norman 5.90.23       08.31.2006 W32/Spybot.AXGM
Panda 9.0.0.4 08.30.2006 W32/Sdbot.IAZ.worm
Sophos 4.09.0 08.31.2006 W32/Tilebot-GM
Symantec 8.0 08.31.2006 W32.Spybot.AKNO
TheHacker 5.9.8.202 08.31.2006 no virus found
UNA 1.83 08.31.2006 Backdoor.SdBot.8
VBA32 3.11.1 08.30.2006 Win32.HLLW.MyBot
VirusBuster 4.3.7:9 08.30.2006 no virus found

Reading up on what the antivirus community has written about these they seem to attack  through so many vectors that it's likely they affect poorly patched systems (and NT or any other legacy windows version would make a prime target).

--
Swa Frantzen -- Section66.com

Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!