HOME > VIRUS ALERTS


VIRUS ALERTS

Win32_Graweg/IRC-Mocbot

Original issue date: August 14, 2006

It has been observed that a worm/backdoor exploiting the recently discovered vulnerability in Microsoft Windows MS06-040 described in CERT-In Vulnerability Note CIVN-2006-75 to spread itself is circulating in the wild. The propagation is also via network shares and AOL instant manager. It opens an IRC backdoor on the compromised system to listen for remote attacker commands.

It is a second variant of MOCBOT using MS06-040 vulnerability in order to spread using the same IRC server hostnames as a command-and-control mechanism as used in earlier variant with the hostnames and IP addresses of C&C servers mostly located in china.

Aliases: WORM_IRCBOT.JK [Trend], WORM_IRCBOT.JL [Trend], IRC-Mocbot!MS06-040 [McAfee], W32.Wargbot [Symantec], IRCBOT-ST [F-Secure].

Upon execution

  • It drops a copy of itself to the windows system folder as wgareg.exe.%System%\wgareg.exe
  • It registers itself as a service "Windows Genuine Advantage Registration Service" to enable itself at every system startup by creating the registry key.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
    \Services\wgareg
  • It disables DCOM protocol by adding the value

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole EnableDCOM = "N"
  • It lowers the affected system's Security Center settings by creating the following registry entries:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    FirewallDisableNotify = "dword:00000001"
    AntiVirusOverride = "dword:00000001"
    AntiVirusDisableNotify = "dword:00000001"
    FirewallDisableOverride = "dword:00000001"
  • This worm deletes administrative shares by creating the following registry entries:

    AutoShareWks = "dword:00000000"
    AutoShareWks = "dword:00000000"
    AutoShareWks = "dword:00000000"
    AutoShareServer = "dword:00000000"

    to the following registry entry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\lanmanworkstation\parameters
  • It disable the system's firewall for both the domain and standard profiles by creating the registry keys.

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ WindowsFirewall\DomainProfile EnableFirewall = "dword:00000000"

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ WindowsFirewall\StandardProfile EnableFirewall = "dword:00000000"
  • It disables Internet Connection Sharing and the Windows Firewall by modifying the following registry entry

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess
    Start = "dword:00000004"
  • The worm opens random TCP ports to connect to the following hard-coded Internet Relay Chat (IRC) servers: bniu.housebot.com:18067, ypgw.wallloan.com18067 . Once a connection is established, it listens for commands from a remote attacker to do various malicious activity like
    • perform a DDoS (Distributed Denial of Service) attack
    • update the backdoor's file from Internet
    • create a remote command shell
    • download / execute remote files
    • send commands to AIM (AOL Instant Messenger) window
    • spread to vulnerable computers using the MS06-040 exploit

In view of high damage potential of the worm/backdoor, users are advised to implement following countermeasures:

  • Update Anti-Virus Signatures
  • Apply appropriate patches as mentioned in Microsoft Security Bulletin MS06-040
  • Block TCP ports 139 and 445 at the firewall .
  • Monitor outgoing traffic to port 18067/TCP of the command and control (C&C) servers:
    bniu.househot.com with IP's
    61.189.243.240, 202.121.199.200, 210.75.211.111, 211.154.135.30, 218.61.146.86, 58.81.137.157, 1.163.231.115
    ypgw.wallloan.com with IP's
    58.81.137.157, 61.163.231.115, 61.189.243.240, 202.121.199.200, 211.154.135.30, 218.61.146.86
  • Monitor outgoing traffic scanning for others being vulnerable on port 445/TCP.

Common Malware Enumeration CME ID : CME-762,CME-482

References

http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx
http://www.microsoft.com/technet/security/advisory/922437.mspx
http://blogs.technet.com/msrc/archive/2006/08/11/446078.aspx
http://www.symantec.com/security_response/writeup.jsp?docid=
2006-081312-3302-99&tabid=1
http://www.f-secure.com/v-descs/ircbot_st.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM_IRCBOT.JK
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM_IRCBOT.JL
http://vil.nai.com/vil/Content/v_140394.htm
http://www.isc.sans.org/diary.php?storyid=1597
http://news.com.com/Microsoft+on+worm+watch/2100-1002_
3-6104825.html?tag=nefd.top

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91 11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003