HOME > VIRUS ALERTS


VIRUS ALERTS

Slenfbot Worm

Original issue date: October 21, 2008

Worm:Win32/Slenfbot is a family of worms that propagate or spread via instant messenger and available mounted drives.

This Worm attempts to propagate via the instant messaging client, MSN Messenger. It connects to a remote server that contains a list of messages, such as:

    Are you serious...is this really you?
    Can I add this picture of you to Facebook.com?!?
    Can I add this picture of you to my new album?
    can I put this picture of you in my new album?
    Can I show my friends this picture of you???
    Can I throw this picture of you on Facebook.com?!?
    Can I upload this picture of you to my profile?
    Can you tag me in this picture on Facebook?
    Can you tag me in this picture on Facebook?
    Check this picture out I just took for Facebook!!
    Could I have really had sex with them?
    Could I throw this picture of you in my album?
    Could this really be real?
    Damn I could barely walk when someone took this pic!
    Damn I really shouldn't have gotten this drunk.
    damn party was crazy, I think I had sex with this person!
    dang, this person really looks like you!

The worm then attempts to send one of these messages to contacts in the affected user's MSN Messenger buddy list, along with a .ZIP attachment (which it downloads and saves in %temp folder.). To entice users into executing the attachment, this malware disguises the executable as a photo or picture file.

It also attempts to spread via drives, by dropping a copy of itself and the file " autorun.inf " in any available mounted drive.

It also has backdoor functionality and it can install additional malware and remotely communicate with an attacker.

The Slenfbot:

  • hides its process from most task managers.
  • injects code into explorer's process to "lock" its file to prevent it being deleted and to relaunch it if it is terminated.
  • Overwrites the system's hosts file to block access to all sorts of domains, from anti-virus update sites to www.majorgeeks.com and www.virustotal.com.
  • Sets policies to disable task manager, registry tools, etc.

Aliases:

W32/Slenfbot.C.worm(Panda), Backdoor.Win32.IRCBot.blf (Kaspersky), Generic.dx (McAfee),W32.IRCBot (Symantec), TR/Crypt.XPACK.Gen (Avira),Mal/IRCBot-B (Sophos).

Upon Execution these worm:

  • Copy themselves to the %System% directory with the following names depends on the variants and sets the attribute o read, hidden and system

    • msmgslive.exe
    • msnapplet.exe
    • msnclimgr.exe
    • msnfileshare.exe
    • msnfileshare.exe
    • msngnlive.exe
    • msnhostin.exe
    • msnlive.exe
    • msnmessengerlive.exe
    • msnupdsv.exe
    • safemode.exe
    • windowsmsnlive.exe
    • winlivemsnmessenger.exe

  • Downloads a .ZIP file and saves it in the %Temp% directory. The filename contains the strings " foto ", " picture " or " image ", and inside the zipped file there is usually another Slenfbot variant disguised as a photo to entice users into executing the file. Some commonly used filenames are:

    • DVC-Foto004.JPEG_www.facebook
    • Image08.JPEGwww.photobucket.com
    • mifoto017jajaja.JPEG_www.myspace
    • NewestPicture0012.JPEGwww.imageshack
    • NewImage005.JPG_www.facebook.scr
    • Picturea024.JPG_www.myspace.com

  • Modify registries

    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\Run
      Data=”executable name”
      Value= MS Host
    • HKLM\SOFTWARE\Policies\Microsoft\Windows NT\
      SystemRestore
      value: "DisableConfig"
      data: "1"
    • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Policies\System
      value: "Disableregistrytools"
      data: "1"
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
      policies\Explorer
      value: "NoClose"
      data:"1"
    • KLM\SYSTEM\CurrentControlSet\Services\wscsvc
      Sets value: "Start"
      With data: "4"

  • Delete the registries

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Control\SafeBoot\Minimal
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Control\SafeBoot\Network

  • Execute the following commands

    • CMD /C del /F /S /Q *.zip
    • CMD /C del /F /S /Q *.com
    • CMD /C del /F /S /Q "%HOMEPATH%\My Documents\
      My Recieved Files\*.zip
    • CMD /C del /F /S /Q "%HOMEPATH%\My Documents
      \My Recieved Files\*.com

      To delete files names named *.zip and *.com in the current directory and the user's "Received Files" directory, the location where Windows Messenger, by default, stores files it downloads.

  • Spreads via removable devices

    • Creates a directory RECYCLER \ S-1-6-21-1257894210-1075856346-012573477-2315 and copies itself into this directory, with a file name such as “ folderopen.exe ”. Then it creates an autorun.inf file in the root directory of the drive in order to launch the worm if, for example, the drive is connected to another machine.

  • Attempts a HTTP connection to a remote server at one of the locations below

    • 62.90.134.[removed]
    • 143.248.135. [removed]
    • www dot turn[removed] dot net (66.96.130. [removed])
    • mil[removed].net (69.89.21. [removed])
    • 76.130.96.66.static. [removed]box.net
    • file.here[removed].info (64.191.63. [removed]:80)
    • www.turn[removed].net (66.96.130. [removed]:80]
    • ksn.a450.wrs[removed].com (62.90.134. [removed]:80)
    • two[removed].com (69.89.22. [removed])

  • creates or modifies certain registry entries to prevent users from manually disabling the malicious file:

    • M\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
      SystemRestore\DisableSR = dword:0000000
    • HKLM\SOFTWARE\Policies\Microsoft\Windows NT\
      SystemRestore\DisableConfig = dword:00000001
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
      System\Disabletaskmgr = dword:00000001
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
      System\Disableregistrytools = dword:00000001

  • Overwrites the "lmhosts" (<system folder>\drivers\etc\hosts)file, to direct the anti-virus and security related domains to localhost like

    127.0.0.1 www.antivirus.com( causes the domain www antivirus.com to resolve to the local host, effectively denying access.)

  • It may terminate  security/antivirus software processes on an affected machine

In view of rapid propagation of the Slenfbot variants, users are advised to implement the following countermeasures:

  • Delete executables with the abovementioned names.
  • Delete the registry entries made by the Trojan as mentioned above.
  • Install and maintain updated anti-virus software at gateway and desktop level.
  • Keep up-to-date patches and fixes on the operating system.
    Install and maintain Desktop Firewall and block the ports which are not required.
  • Use caution with attachments and file transfers.

References

http://www.microsoft.com/security/portal/Entry.aspx?
Name=Win32%2fSlenfbot
http://blogs.technet.com/mmpc/archive/2008/09/17/win32
-slenfbot-just-another-irc-bot.aspx
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Worm%3aWin32%2fSlenfbot.LN
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Worm%3aWin32%2fSlenfbot.OM
http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?IdVirus=200775
http://www.threatexpert.com/report.aspx?uid=ce4bc979-7923-
4147-b4c1-fea56165b387
http://www.ca.com/de/securityadvisor/virusinfo/virus.aspx?id=7338

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003