Win32/Slenfbot [Threat Name] go to Threat
Win32/Slenfbot.AD [Threat Variant Name]
| Category | worm |
| Size | 213504 B |
| Signature database version | 5731 (Dec 25, 2010) |
| Aliases | Net-Worm.Win32.Kolab.xho (Kaspersky) |
| Trojan:Win32/Meredrop (Microsoft) |
Short description
Win32/Slenfbot.AD is a worm that spreads via removable media, IM networks and by exploiting the MS10-061 vulnerability . The worm contains a backdoor. It can be controlled remotely.
Installation
When executed, the worm copies itself into the following location:
- %system%\igfxpb32.exe
- %userprofile%\cache\igfxpb32.exe
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%system%\igfxpb32.exe" = "%system%\igfxpb32.exe:*:Enabled:wLAN"
- [HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%userprofile%\cache\igfxpb32.exe" = "%userprofile%\cache\igfxpb32.exe:*:Enabled:wLAN"
The performed data entry creates an exception in the Windows Firewall program.
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
- "Disablenxshowui" = "%system%\igfxpb32.exe"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
- "Disablenxshowui" = "%userprofile%\cache\igfxpb32.exe"
The performed data entry disables Data Execution Prevention (DEP) for the specified file.
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "Intel Packet Service" = "%system%\igfxpb32.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Intel Packet Service" = "%userprofile%\cache\igfxpb32.exe"
The worm creates and runs a new thread with its own program code within the following processes:
- explorer.exe
After the installation is complete, the worm deletes the original executable file.
Spreading
The worm spreads by exploiting a vulnerability in the operating system of the targeted machine.
It exploits the MS10-061 vulnerability. This vulnerability is described in "Vulnerability in Print Spooler Service" .
Spreading via IM networks
Win32/Slenfbot.AD is a worm that spreads via IM networks.
The programs affected include the following:
- Skype
- Aim
- ICQ
- Yahoo Messenger
- Google Talk
- MSN Messenger
- Paltalk
- XFire
The worm spreads through links which point to websites containing malware.
Spreading on removable media
The worm creates the following folders:
- %drive%\~TrashBin\
The folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.
The worm copies itself into the folder
- %drive%\~TrashBin\
The following filename is used:
- t%variable%.exe
The %variable% represents a random number.
The worm creates the following file:
- %drive%\Autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The worm contains a backdoor. It can be controlled remotely.
The worm receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).
The worm connects to the following addresses:
- s11.ohbabycani.su
- s4.ohbabycani.su
The IRC protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- spread via IM networks
- open a specific URL address
The worm terminates processes with any of the following strings in the name:
- chgservice.exe
- cmmon32.exe
- drive32.exe
- msvmiode.exe
- recycler
- rvhost.exe
- serivces.exe
- servicers.exe
- svchos.exe
- temp
- tmp
- undmgr.exe
- uninstall_.exe
- usbmngr.exe
- wudfhost.exe
The following programs are terminated:
- BILLY.EXE
- CATCHME.EXE
- COMBOFIX.EXE
- HIJACKTHIS.EXE
- MBAMGUI.EXE
- MPCMDRUN.EXE
- MRT.EXE
- MRTSTUB.EXE
- MSASCUI.EXE
- MSMPENG.EXE
- TCPVIEW.EXE
- TEATIMER.EXE
- USBGUARD.EXE
The worm terminates various security related applications.
The worm looks for processes with any of the following strings in their name:
- prevx
- k7rtscan
- ashserv
- avguard
- vsserv
- avg
- nod32krn
- ekrn
- mcshield
- mbamservice
- savservice
- smc
- rtvscan
- dwengine
- drwebcom
- spidernt
- spysweeper
- outpost
- tmpfw
- uiWatchDog.exe
- kpf4
- cmdagent
- vsmon
- sbpflnch
- acs
The worm may execute the following commands:
- CMD /C net stop %securityservicename%
- CMD /C sc stop %securityservicename%
- CMD /C sc config %securityservicename% start= disabled
- CMD /C sc delete %securityservicename%
The worm may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
- "DisableConfig" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT]
- "DontReportInfectionInformation" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
- "AntiVirusOverride" = 1
- "AntiVirusDisableNotify" = 1
- "FirewallOverride" = 1
- "FirewallDisableNotify" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
- "DisableSR" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
- "CheckedValue" = 1
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 2
The worm may delete the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]
The worm may execute the following commands:
- CMD /C del /F /S /Q "C:\ComboFix.txt"
- CMD /C attrib -s -h "C:\ntldr"
- CMD /C move\"C:\\ntldr\"\"C:\\dump\"
- CMD /C del /F /S /Q "%windir%\system32\hal.dll"
- CMD /C "shutdown -s"