Backdoor.IRCBot.Dorkbot.A

SYMPTOMS:

 

• Extra http traffic;
• Presence of a hidden file in folder. The name of the file is random.
• Presence of  “HKEY_CURRENT_USER\Software\\Microsoft\\Windows\\CurrentVersion\\Run\file name”  value.

TECHNICAL DESCRIPTION:

      

        1. Spreading methods:

The malware has two ways of spreading: either via Instant Messaging (using MSN, Pidgin, Xchat) or USB devices.

        2. General  information:

Once the malware is executed, it copies itself in the folder. The copy is hidden and has a random name. 

       3. Implementation details:

The malicious file has multiple layers of encrypted data. It decrypts some string structures. One such structure contains the encrypted string, the length of the string and a hash computed on the decrypted string (crc32). 

 

The encrypted strings represent: a mutex name (1LSJuVlZPsaJ3FWT), the rc4 decryption key for pipe data (d80a89c7), the IRC channel (main,s0, r, f, p0), commands (http.int, http.inj, msn.int, msn.set, stats, speed, logins, slow, ssyn, udp), IRC servers (webingenial.com,  haztuwebsite.com, sunelectronix.com, quiboxs.com), the login password (ngrbot).

After it decrypts the string with the RC4 algorithm, it computes the hash. If the hash doesn't match, it writes 0x7E00 bytes at the beginning of the “\\.\PHYSICALDRIVE0”, which causes a windows crash.

It then checks if the file runs from a USB by calling:

DeviceIoControl(hDevice,

                IOCTL_STORAGE_QUERY_PROPERTY, 

                struct_STORAGE_PROPERTY_QUERY,

                sizeBufIn,

                struct_STORAGE_DEVICE_DESCRIPTOR,...).  

From the output buffer, it retrieves the bus type and checks if it is BusTypeUSB.

If the file runs from an USB drive, it executes the following function ShellExecuteA(0,'OPEN',drive_path, SW_SHOW).

It creates a mutex. The mutex name is one of the decrypted strings.

It builds the imports from ntdll.dll. It accesses in the PEB structure, in MemoryOrderModuleList member and parses the double-linked lists of LIST_ENTRY structures. Each item in the list is a pointer to an LDR_DATA_TABLE_ENTRY structure.  From these structures it retrieves the FullDllName and DllBase members until it finds "ntdll.dll". With this particular information, it gets the addresses for the following functions: "RtlAnsiStringToUnicodeString", "LdrGetDllHandle", "NtQueryInformationThread", "LdrLoadDll", "NtQueryVirtualMemory", "LdrGetProcedureAddress", "NtQueryInformationProcess", "LdrEnumerateLoadedModules", "NtQuerySystemInformation", "NtAllocateVirtualMemory", "NtFreeVirtualMemory".

It checks if the file runs on an x86 system.

It generates the CRC32 table.

It injects itself in all the open processes.

It uses a pipe to receive commands and send results.

It also uses a map view for a better synchronization in communicating with the pipe and the IRC server. On this map it saves the states that can be either “on” or “off”. The malware can have one of the following states: "pdef", "ffgrab", "iegrab", "ftpgrab", "popgrab", "bdns", "usbi" and represent the markers of particular commands. The states are set or reset by a separate thread which I will present later on.

It hooks a series of functions: “NtEnumerateValueKey”, “NtQueryDirectoryFile”, "CopyFileA", "CopyFileW", "DeleteFileA", "DeleteFileW", "MoveFileA", "MoveFileW", "CreateFileA", "CreateFileW", "send", "GetAddrInfoW", "HttpSendRequestA", "HttpSendRequestW", "InternetWriteFile", "DnsQuery_A", "DnsQuery_W", "PR_Write", "URLDownloadToFileA", "URLDownloadToFileW", "RegCreateKeyExA", "RegCreateKeyExW".

The new functionalities of such a hooked function are the following:

DeleteFileA/ DeleteFileW

If the name of the file that must be deleted is different from the name of the malicious file from the folder or the state “pdef” of the map view is off, the original function is executed. Otherwise, it writes in the pipe the following message: “length_buffer.pd.Blocked _curent_module_file_name_ from removing our bot file!"

MoveFileA/ MoveFileW

If the name of the file that must be moved is different from the name of the malware file from the folder or the state “pdef” of the map view is off, the original function is executed. Otherwise, it writes in the pipe the following message:“length_buffer.pd.Blocked _curent_module_file_name_ from moving our bot file!"

CreateFileA

If the chosen access parameter is  GENERIC_WRITE and the file name argument is “autorun.inf” and the “pdef” state is on, it writes in pipe the message: "length_buffer.pd.Blocked "_curent_module_file_name_ " from creating "autorun.inf" and returns the value 1.Otherwise, the original function is executed.

Send

The hooked send function tries to intercept the buffer that must be sent and steals the specific information. If the buffer parameter is null or its length is smaller than 6, the original function is executed. Otherwise the buffer is copied in an allocated heap .

It checks for the ftp or pop3 protocols and if the buffer starts with either of “USER” or “PASW” strings, it saves the information in some local variables. It makes the difference between these protocols by checking the existence of some specific ftp commands ("CWD",  "PDW", "FEAT","TYPE","PASV").  After taking these decisions, it sends a specific message through the pipe:

• For ftp, if state ”ftpgrab” of the map is on:  “lenght_message.ftplog.ftp://user/password@network_address:hostshort  p =  _curent_module_file_name_ "
• For pop3 if state ”popgrab” of the map is on: "lenght_message.poplog.pop3://user/password@network_address: hostshort  p = _curent_module_file_name_ "

It checks if an IRC package is sent and if the state “pdef” of the map is on.

If the buffer is a JOIN or a PRIVMSG command, it writes in pipe: "length_message.pd.Detected process _current_module_file_name_ sending an IRC packet to server network_address:_hostshort_ (Target: _packege_ )".

 If the buffer represents a PONG command it writes in pipe "length_message.pd.Detected process _current_module_file_name_ sending an IRC packet to server network_address:_hostshort_".

It checks if the current running process is corresponding to an IM application (msmsgs.exe", "msnmsgr.exe", "wlcomm.exe", "pidgin.exe").  If it is a conversation (the buffer starts with “CAL”) and the state “msnu” is on, it saves the message number and the e-mail address. If a message is sent (the buffer starts with “MSG” or “SDG” and contains "X-MMS-IM-Format:"), the message is intercepted,  modified and then sent. It also writes a specific message in pipe:

• For  “SDG” : "length_messsage.msn.p21-> Message hijacked!"
• For “MSG” : "length_message.msn.p10-> Message hijacked!"
• For “MSG” if the e-mail address is saved: “length_message.msn.p10-> Message to _adr_mail_ hijacked !"

GetAddrInfo:

If the host node parameter is null, it executes the original function.

It searches for av strings (“webroot.”, “fortinet.”, “virusbuster.”, “nprotect.”, “gdatasoftware.”,” virus.”, “precisesecurity.”, “lavasoft.”, “emsisoft.”, “onlinemalwarescanner.”, “onecare.live.”,” f-secure.”, “clamav.”, “pandasecurity.”, “sophos.”, “malwarebytes.”,” sunbeltsoftware.”, “norton.”,”norman.”, “mcafee.”, “symantec”,” comodo.”, “avira.”, “bitdefender.”, “eset.”,” trendmicro.”, “iseclab.”, “viruschief.”) in the host name parameter. Once it finds one of them, it returns WSAHOST_NOT_FOUND thus blocking the access on AV sites.

HttpSendRequestA /HttpSendRequestW:

If the optionalData parameter is null, the original function is executed. Otherwise the InternetQueryOptionW function is executed with the INTERNET_OPTION_URL flag. The full url of the downloaded source is saved. Some targets are looked for  in the url string and in the optional data. The goal is to retrieve the login information of some accounts (first string is searched in the url string, second string in the optional data, third string is the target account) :

- "*paypal.*/webscr?cmd=_login-submit*"   and "*login_password=*"  (target "PayPal")

- "*google.*/*ServiceLoginAuth*"          and "*service=youtube*"       (target "YouTube")

- "*aol.*/*login.psp*"                             and  "*password=*"                (target "AOL")

- "*screenname.aol.*/login.psp*"           and "*password=*"                 (target "AOL")

- "*bigstring.*/*index.php*"                    and "*pass=*"                        (target "BigString")

- "*fastmail.*/mail/*"                              and "*FLN-Password=*"         (target "Fastmail")

- "*google.*/*ServiceLoginAuth*"          and "*Passwd=*"                   (target "Gmail")

- "*gmx.*/*FormLogin*"                         and "*TextfieldPassword=*"  (target "GMX")

- "*login.live.*/*post.srf*"                       and "*passwd=*"                    (target "Live")

- "*login.yahoo.*/*login*"                      and "*passwd=*"                    (target "Yahoo")

- "*facebook.*/login.php*"                     and "*pass=*"                        (target "Facebook")

- "*hackforums.*/member.php"              and "*password=*"                 (target "Hackforums")  

- "*hackforums.*/member.php"              and"*password=*"                  (target "Hackforums")

- "*steampowered*/login*"                    and "*steampowered*/login*" (target "Steam")

- "*no-ip*/login*"                                   and "*&password=*"               (target "NoIP")

- "*dyndns*/account*"                            and "*&password=*"              (target "DynDNS")

- "*runescape*/*weblogin*"                    and "*&password=*"              (target "Runescape")

- "*.moneybookers.*/*login.pl"               and "*&txtPassword=*"           (target "Moneybookers")

- "*twitter.com/sessions"                         and "*password]=*"                (target "Twitter")

- "*secure.logmein.*/*logincheck*"         and "*password=*"                 (target "LogMeIn")

- "*officebanking.cl/*login.asp*"             and "*pass=*"                        (target "OfficeBanking")

- "*signin.ebay*SignIn"                          and "userid"                          (target "eBay")

- "*depositfiles.*/*/login*"                       and "*password=*"                 (target "Depositfiles")

- "*megaupload.*/*login*"                      and "*password=*"                (target "Megaupload")

- "*sendspace.com/login*"                     and "*password=*"                 (target "Sendspace")

- "*mediafire.com/*login*"                     and "*login_pass=*"              (target "Mediafire")

- "*freakshare.com/login*"                      and "*pass=*"                        (target "Freakshare")

- "*netload.in/index*"                             and "*txtpass=*"                    (target "Netload")

- "*4shared.com/login*"                          and "*password=*"                (target "4shared")

- "*hotfile.com/login*"                            and "*pass=*"                        (target "Hotfile")

- "*fileserv.com/login*"                           and  "*loginUserPassword=*" (target "Fileserve")

- "*uploading.com/*login*"                     and "*password=*"                (target "Uploading")

- "*uploaded.to/*login*"                          and "*pw=*"                         (target "Uploaded")

- "*speedyshare.com/login*"                   and "*pass=*"                       (target "Speedyshare")

- "*filesonic.com/*login*"                        and "*password=*"                (target "Filesonic")

- "*oron.com/login*"                               and "*password=*"                (target "Oron")

- "*what.cd/login*"                                  and  "*password=*"               (target "Whatcd")

- "*letitbit.net*"                                       and "*password=*"                (target "Letitbit")

- "*sms4file.com/*/signin-do*"                 and "*pas=*"                         (target "Sms4file")

- "*vip-file.com/*/signin-do*"                   and "*pas=*"                         (target "Vip-file")

- "*torrentleech.org/*login*"                    and "*password=*"                (target "Torrentleech")

- "*thepiratebay.org/login*"                    and "*password=*"                (target "Thepiratebay")

- "*netflix.com/*ogin*"                            and "*password=*"                (target "Netflix")

- "*alertpay.com/login*"                         and "*Password=*"                (target "Alertpay")

- "*godaddy.com/login*"                        and "*password=*"                (target "Godaddy")

- "*namecheap.com/*login*"                  and "*LoginPassword=*"      (target "Namecheap")

- "*moniker.com/*Login*"                       and "*passwd=*"                   (target "Moniker")

- "*1and1.com/xml/config*"                   and "*login.Pass=*"              (target "1and1")

- "*enom.com/login*"                             and "*password=*"                (target "Enom")

- "*dotster.com/*login*"                          and "*pass=*"                       (target "Dotster")

- "*webnames.ru/*user_login*"               and "*password=*"                (target "Webnames")

- "*:2082/login*"                                     and "*pass=*"                       (target "cPanel")

- "*:2083/login*"                                     and "*pass=*"                       (target "cPanel")

- "*:2086/login*"                                     and "*pass=*"                       (target "WHM")

- "*whcms*dologin*"                               and "*password=*"                (target "WHCMS")

- "*:2222/CMD_LOGIN*"                        and "*password=*"                (target "Directadmin")

- "*bcointernacional*login*"                   and "*clave=*"                     (target "Bcointernacional")

- "*members.brazzers.com*"                   and "*password=*"                (target "Brazzers")

- "*youporn.*/login*"                               and "*password=*"               (target "YouPorn")

- "*members*.iknowthatgirl*/members*"  and "*password]=*"              (target" IKnowThatGirl")

Once a pair is found, it continues the search for the user and password in the optional data. If the next strings are found, the information is saved. Searched strings:

- (target "PayPal")             for user: "login_email"             for password: "login_password"

- (target "YouTube")          for user: "Email"                      for password: "Passwd"

- (target "AOL")                 for user: "loginId"                     for password: "password"

- (target "AOL")                 for user: "screenname"             for password: "password"

- (target "BigString")          for user: "user"                         for password: "pass"

- (target "Fastmail")           for user: "FLN-UserName"        for password: "FLN-Password"

- (target "Gmail")               for user: "Email"                      for password: "Passwd"

- (target "GMX")                for user: "TextfieldEmail"         for password: "TextfieldPassword"

- (target "Live")                  for user: "login"                        for password: "passwd"

- (target "Yahoo")              for user: "login"                        for password: "passwd"

- (target "Facebook")         for user: "email"                       for password: "pass"

- (target "Hackforums")       for user: "username"                for password: "password"

- (target "Hackforums")       for user: "quick_username"      for password: "quick_password"

- (target "Steam")              for user: "username"                 for password: "password"

- (target "NoIP")                 for user: "username"                for password: "password"

- (target "DynDNS")            for user: "username"                for password: "password"

- (target "Runescape")        for user: "username"                for password: "password"

- (target "Moneybookers")   for user: "txtEmail"                  for password: "txtPassword"

- (target "Twitter")               for user: "session[username_or_email]" for password: "session[password]"

- (target "LogMeIn")            for user: "email"                     for password: "password"

- (target "OfficeBanking")    for user: "rut"                          for password: "pass"

- (target "eBay"                   for user: "userid"                     for password: "pass"

- (target "Depositfiles")        for user: "login"                      for password: "password"

- (target "Megaupload")      for user: "username"               for password: "password"

- (target "Sendspace")         for user: "username"               for password: "password"

- (target "Mediafire")           for user: "login_email"           for password: "login_pass"

- (target "Freakshare")         for user: "user"                        for password: "pass"

- (target "Netload")             for user: "txtuser"                     for password: "txtpass"

- (target "4shared")             for user: "login"                       for password: "password"

- (target "Hotfile")               for user: "user"                         for password: "pass"

- (target "Fileserve")           for user: "loginUserName"       for password: "loginUserPassword"

- (target "Uploading")         for user: "email"                      for password: "password"

- (target "Uploaded")          for user: "id"                            for password: "pw"

- (target "Speedyshare")     for user: "login"                       for password: "pass"

- (target "Filesonic")           for user: "email"                      for password: "password"

- (target "Oron")                 for user: "login"                        for password: "password"

- (target "Whatcd")             for user: "username"                for password: "password"

- (target "Letitbit")              for user: "login"                       for password: "password"

- (target "Sms4file")           for user: "log"                           for password: "pas"

- (target "Vip-file")              for user: "log"                          for password: "pas"

- (target "Torrentleech")     for user: "username"                for password: "password"

- (target "Thepiratebay")    for user: "username"                for password: "password"

- (target "Netflix")               for user: "email"                      for password: "password"

- (target "Alertpay")            for user: "EmailName"             for password: "Password"

- (target "Godaddy")           for user: "loginname"              for password: "password"

- (target "Namecheap")      for user: "LoginUserName"      for password: "LoginPassword"

- (target "Moniker")             for user: "token"                       for password: "passwd"

- (target "1and1")               for user: "login.User"                for password: "login.Pass"

- (target "Enom")                for user: "loginid"                    for password: "password"

- (target "Dotster")               for user: "login"                       for password: "pass"

- (target "Webnames")        for user: "login"                       for password: "password"

- (target "cPanel")              for user: "user"                         for password: "pass"

- (target "cPanel")              for user: "user"                         for password: "pass"

- (target "WHM")                 for user: "user"                        for password: "pass"

- (target "WHCMS")            for user: "username"                for password: "password"

- (target "Directadmin")      for user: "username"                for password: "password"

- (target "Bcointernacional")  for user: "numeroTarjeta"    for password: "clave"

- (target "Brazzers")            for user: "username"                for password: "password"

- (target "YouPorn")           for user: "username"                for password: "password"

- (target "IKnowThatGirl")  for user: "login[username]"      for password: "login[password]"

This information is sent through pipe. If the target is one of the following: "cPanel", "WHM", "WHCMS", "Directadmin", the message sent is "length_message.httplogin._target_->>_user_ : _password_",  otherwise: "length_message.httplogin._target_->> _url_ (_user_ : _password_)".

At the end, the original function is executed.

InternetWriteFile:

It has the same functionality as the HttpSendRequest except for the fact that the strings that were searched for in the optional data, are now searched in the buffer parameter.

PR_Write:

It analyses POST request made by the Firefox browser to capture usernames and passwords on the fly. The targets are the same as in the case of the HttpSendRequest function.

DnsQuery_A/ DnsQuery_W

If the AV names are in the name parameter of the function, the result is the code 9714 - DNS_ERROR_NAME_DOES_NOT_EXIST meant to block the access on the AV sites. 

URLDownloadToFileA/URLDownloadToFileW

It checks if the current module file name is firefox.exe or iexplore.exe and if the file that receives the downloaded data has one of the extension "exe", "com","pif", "scr". If the url parameter starts with http://,  it writes the following message in pipe "length_message.pd.Blocked possible browser exploit pack call on URL _url_"  while returning INET_E_DOWNLOAD_FAILURE, thus blocking the download.

If one of the above conditions isn’t met, the original function is executed.

It injects itself in every opened process and creates remote threads.

The most important thread is the one created in explorer.exe. This thread has multiple tasks. Each task is solved by one individual thread:

1. Makes sure the malware is running at startup

It appends a value to the sub-key “HKEY_CURRENT_USER\Software\\Microsoft\\Windows\\CurrentVersion\\Run”.  The value name is the name of the malicious file from the folder, and the value is the full path of this file.

2. Reads from pipe

This thread creates a pipe name: "\\.\pipe\crc32_for_rc4key_ipc. The rc4 key is the key for the rc4 algorithm used to decrypt data received through pipe (ex: "d80a89c7") .

Another thread is created to read 0x800 bytes from the pipe. The message transmitted and received through pipe has a standard format: "length_message.type_message.message".

The message received is in fact a command that once decryption will be sent to an IRC server.

Depending on the type of the message received, a different PRIVMSG is transmitted to an IRC server:   "PRIVMSG _chanel_name_ :[type_message] : _message_" 

- type message : "httpspread" -> "PRIVMSG s0 : [HTTP]: _message_"  ; a specific counter is incremented

- type message : "msn"           ->"PRIVMSG s0 : [MSN]: _message_"; a specific counter is incremented

- type message : "dns"             -> "PRIVMSG main : [DNS]: Blocked DNS "_message_""

- type message : "pd"                -> "PRIVMSG p0 : [PDEF+]: _message_"

- type message : "rreg"             -> "PRIVMSG r : [Ruskill]: Detected reg: "_message_""

- type message : "rdns"            -> "PRIVMSG r : [Ruskill]: Detected DNS: "_message_""

- type message : "ruskill"        -> "PRIVMSG r : [Ruskill]: Detected File: "_message_"" (if the message is not "disable")

- type message : "httplogin"    -> "PRIVMSG l : [HTTP Login]: _message_"; a specific counter is incremented

- type message : "httptraff"      -> "PRIVMSG main : [HTTP Traffic]: _message_"

- type message : "ftpinfect"     -> "PRIVMSG main : [FTP Infect]: _message_ was frame"

- type message : "poplog"       ->"PRIVMSG f : [POP3 Login]: _message_"; a specific counter is incremented

- type message : "ftplog"            -> "PRIVMSG f : [FTP Login]: _message_"  ; a specific counter is incremented

3. Communicates with IRC servers

It initializes a structure with the follow information:

                - n{country|OSa or u}random string or {country|OSa or u}random string

                - random string

                - random string

                - country

                - OS

                - a or u (admin or user)

The operating system version is obtained by executing the function GetVersionExA and checking the VersionInformation.dwMinorVersion.

The country index is obtained by getting the source page of “http://api.wipmania.com/”. The response is “ip
contry_index (ex 79.116.127.127
RO)

Exemple:             n{RO|XPa}trvruyo (used as nickname)

                              trvruyo          (used as user)

                                trvruyo

                                RO

                                XP

                               a

After obtaining that information, it connects to an IRC server ("webingenial.com", "haztuwebsite.com", "sunelectronix.com", "quiboxs.com") and starts sending (to the IRC server) messages containing the following password, nickname, and user:

                "PASS: ngr_bot \r\n"

                "NICK: n{RO|XPa}trvruyo \r\n"

                "USER: trvruyo"

Once the connection is established, receives some data that will be parsed. The data represents certain IRC commands.

If "MODS" (display the message of the day) or "376" (end of MODS command) strings appear in the data received, the "JOIN main 4m3r1k4 \r\n"command is sent to the IRC server.

Otherwise the list of commands is parsed as following :

- for "PING" command    -> send to server "PONG random data \r\n"

- for "001"  command (welcome to the Internet relay network nickname)  -> send to server "JOIN main 4m3r1k4 \r\n"

- for "443"  command ( is already in channel)   -> send to server "NICK n{RO|XPa}trvruyo\r\n"

If the first command is "PRIVMSG" and the data received contains "@b0ss.edu", it parses the next part of the received command .

For instance:

- if the command contains the option "rc"  -> "QUIT :reconnecting \r\n"

- if the command contains the option "die" -> "QUIT :exiting \r\n"

- if the command contains the option "rm"  -> "QUIT :removing \r\n"        

- if the command contains the option "s"   -> "JOIN _channel #country \r\n"(ex: country = RO)

- if the command contains the option "s"

       - second option "-o"  -> "JOIN _channel_ #OS \r\n" (ex: OS = XP)

       - second option "-n"  and the nick starts with "n"-> "JOIN _channel_ #new \r\n"

       - second option "-a"  -> "JOIN _channel_ #admin \r\n"if the structure above contains "a"

                                        -> "JOIN _channel_ #user \r\n" if the structure above contains "u"   

- if the command contains the option "s" and "-v"  -> "JOIN _channel_ #version \r\n"  (1.0.0.0)       

- if the command contains the option "stats"

        - second option: "-s"  -> "[PRIVMSG _channel_ : [usb = counter_usb msn=counter_msn http=counter_http total=sum ] \r\n"  (ex: counter_usb = how many usb drives have been infected)

        - second option "-l"  -> "[PRIVMSG _channel_ : [ftp=counter_ftp pop=counter-pop3 http=counter_http total=sum] \r\n"  (ex: counter_ftp = how many ftps have been infected)

        - if none of the second option is specified, both messages are sent

- if the command contains the option "logins"

        - second option "-c" -> "[PRIVMSG _channel_ : Cleared number logins"

- if the command contains the option "rs"  ->      "[PRIVMSG _channel_ : [RSOCK4]: Stopped rsock4"

- if the command contains the option "speed"  -> "[PRIVMSG _channel_ : [Speed]: Estimated upload speed _determined_speed_ KB/s" . The speed is determined in a separated thread by sending random data buffer for 10 seconds and count the number of bytes sent:

- if the command contains the option "dl" -> a further thread is opened:

        - the command will contain a link and it will download data from that link ; the link must contain the md5 of the data downloaded

         - the data is written in a TempFileName for the file in the folder.

         - if nothing goes wrong,a process executing the temp file name is created and a message is sent:

-> "[PRIVMSG _channel_ : [d="_link_" s="_nr_bytes_written_in_the_file_ bytes"] Executed file "_temp_file_name_in_unicode" - Download retries: _number_of_retries_"

        - if something goes wrong a specific error message is sent:

-> "[PRIVMSG _channel_ :   [d="_link_" s="_nr_bytes_written_in_the_file_ bytes"] Download error: MD5 mismatch (_computed_md5_ != _md5_from_link_)          

-> "[PRIVMSG _channel_ :   [d="_link_" s="_nr_bytes_written_in_the_file_ bytes"] File "_temp_file_name_in_unicode_" has an invalid binary type. [type="0"]

-> "[PRIVMSG _channel_ :   [d="_link_" s="_nr_bytes_written_in_the_file_ bytes"] Error creating process "_temp_file_name_in_unicode_" [e="error code"]

-> "[PRIVMSG _channel_ :   [d="_link_"] Error writing download to "_temp_file_name_in_unicode_" [e="error code"]",

-> "[PRIVMSG _channel_ :   [d="_link_"] Error getting temporary filename. [e="error code"]"

-> "[PRIVMSG _channel_ :   [d="_link_"] Error getting application data path [e="error code"]"

-> "[PRIVMSG _channel_ :   [d="_link_"] Error downloading file [e="error code"]"

- if the command contains the option "msn.set"         ->  "[PRIVMSG _channel_ : [MSN]: Updated MSN spread message to "_message_" "

- if the command contains the option "msn.int"               ->  "[PRIVMSG _channel_ : [MSN]: Updated MSN spread interval to "_interval_" "

- if the command contains the option "vs" :

         - if no error occurs while opening an iexplore.exe process -> "[PRIVMSG _channel_ : [Visit]: Visited "_link_""

         - otherwise -> "[PRIVMSG _channel_ : [Visit]: Error visiting "_link_""

- if the command contains the option "up", a new thread is created:

         - the command will contain a link and it will download data from that link ; the link must contain the md5 of the downloaded data

         - the data is written in a TempFileName for the file in the folder and in the file from the folder.

         - if an "-r" option exists in the command string, the message "QUIT :rebooting" and the system is rebooted.

         - if nothing goes wrong, the following message is sent: "[PRIVMSG _channel_ : [d="_link_" s="_nr_bytes_written_in_the_file_ bytes"] Updated bot file "_application_data_file_path_" - Download retries: number_of_retries"

         - otherwise a specific error message is sent:

-> "[PRIVMSG _channel_ :   [d="_link_" s="_nr_bytes_written_in_the_file_ bytes"] Update error: MD5 mismatch (_computed_md5_ != _md5_from_link_)      

-> "[PRIVMSG _channel_ :   [d="_link_" s="_nr_bytes_written_in_the_file_ bytes"] File "_temp_file_name_in_unicode_" has an invalid binary type. [type="0"]

-> "[PRIVMSG _channel_ :   [d="_link_"] Error writing download to "_temp_file_name_in_unicode_" [e="error code"]"

-> "[PRIVMSG _channel_ :   [d="_link_"] Error writing download to "_application_data_file_path" [e="error code"]",          

-> "[PRIVMSG _channel_ :   [d="_link_"] Error getting temporary filename. [e="error code"]"

-> "[PRIVMSG _channel_ :   [d="_link_"] Error getting application data path [e="error code"]"

-> "[PRIVMSG _channel_ :   [d="_link_"] Error downloading file [e="error code"]"

- if the command contains the option "slow":

        - "[PRIVMSG main : [Slowloris]: Starting flood on "_target_flood_" for _number_ minute(s)"  (the target and the time interval are received in the comand)   

        - slowloris flood

        - "[PRIVMSG main : [Slowloris]: Finished flood on "target_flood""

- if the command contains the option "rs":

        - "[PRIVMSG _channel_ : [RSOCK4]: Started rsock4 on "_ip_:_hostshort_" "

- if the command contains the option "ssyn":

        - "[PRIVMSG main : [SYN]: Starting flood on "_target_to_flood_:hostshort" for _number_ second(s) "

        - syn flood

        - "[PRIVMSG main : [SYN]: Finished flood on "_target_to_flood_:hostshort""

- if the command contains the option "udp":

        - "[PRIVMSG main : [UDP]: Starting flood on "_target_to_flood_:hostshort" for _number_ second(s)

        - udp flood

        - "[PRIVMSG main : [UDP]: Finished flood on "_target_to_flood_:hostshort""

- if the command contains one of the following states of the map : "pdef", "ffgrab", "iegrab", "ftpgrab", "popgrab", "bdns", "usbi", it sets the state according to the next parameter ("on" -> state=1, "off"=state=0

       4.  Infecting USB drivers

First it determinates if an USB drive exists (described above). It gets the logical drive corresponding to an USB and creates a "RECYCLER" directory. It copies the file from the folder to the "RECYCLER" folder. The new file name is the hash crc32 corresponding to the rc4 key algorithm ("d80a89c7").

It creates a file "desktop.ini" in the "RECYCLER" folder and writes in it (the clsid for recycler bin) "[.ShellClassInfo]\r\nCLSID={645FF040-5081-101B-9F08-00AA002F954E}".

If the state of the map corresponding to "usbi" (usb infect) is "on", it starts the infection:

- It writes an "autorun.inf" file. The data points to the copy of the malware from the recycler folder. The file content is obfuscated by random strings and random order:

- It browses all the folders recursively and for all the files it creates shortcuts ( “*.lnk” spreading is more difficult to detect):

- it creates an object associated with Shortcut CLSID  ( CoCreateInstance)

- sets the current file path as the current path of the shell link object (IShellLink::SetPath)

- sets the arguments for the shell link object :"/c \"start %cd%RECYCLER\\malware_file_name  &&%windir%\\explorer.exe %cd%current_file_name" (IShellLink::SetArguments)

- it accesses the IStorage methods and saves the changes made by calling the IStorage::Commit method with STGC_OVERWRITE flag

- at the end, it releases all the buffers.

- For exclusive access, it locks the autorun file and the malicious file from the recycler folder .

- Send a message : "[PRIVMSG s0 :[USB]: Infected _usb_drive_str_ "

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Cristina Vatamanu, virus researcher