Win32/Slenfbot [Threat Name] go to Threat

Win32/Slenfbot.AD [Threat Variant Name]

Category worm
Size 213504 B
Detection created Dec 25, 2010
Signature database version 10298
Aliases Net-Worm.Win32.Kolab.xho (Kaspersky)
  Trojan:Win32/Meredrop (Microsoft)
Short description

Win32/Slenfbot.AD is a worm that spreads via removable media, IM networks and by exploiting the MS10-061 vulnerability . The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself into the following location:

  • %system%\­igfxpb32.exe
  • %userprofile%\­cache\­igfxpb32.exe

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%system%\­igfxpb32.exe" = "%system%\­igfxpb32.exe:*:Enabled:wLAN"
  • [HKEY_CURRENT_USER\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%userprofile%\­cache\­igfxpb32.exe" = "%userprofile%\­cache\­igfxpb32.exe:*:Enabled:wLAN"

The performed data entry creates an exception in the Windows Firewall program.


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Layers]
    • "Disablenxshowui" = "%system%\­igfxpb32.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Layers]
    • "Disablenxshowui" = "%userprofile%\­cache\­igfxpb32.exe"

The performed data entry disables Data Execution Prevention (DEP) for the specified file.


In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Intel Packet Service" = "%system%\­igfxpb32.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Intel Packet Service" = "%userprofile%\­cache\­igfxpb32.exe"

The worm creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

After the installation is complete, the worm deletes the original executable file.

Spreading

The worm spreads by exploiting a vulnerability in the operating system of the targeted machine.


It exploits the MS10-061 vulnerability. This vulnerability is described in "Vulnerability in Print Spooler Service" .

Spreading via IM networks

Win32/Slenfbot.AD is a worm that spreads via IM networks.


The programs affected include the following:

  • Skype
  • Aim
  • ICQ
  • Yahoo Messenger
  • Google Talk
  • MSN Messenger
  • Paltalk
  • XFire

The worm spreads through links which point to websites containing malware.

Spreading on removable media

The worm creates the following folders:

  • %drive%\­~TrashBin\­

The folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.


The worm copies itself into the folder

  • %drive%\­~TrashBin\­

The following filename is used:

  • t%variable%.exe

The %variable% represents a random number.


The worm creates the following file:

  • %drive%\­Autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm contains a backdoor. It can be controlled remotely.


The worm receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).


The worm connects to the following addresses:

  • s11.ohbabycani.su
  • s4.ohbabycani.su

The IRC protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • spread via IM networks
  • open a specific URL address

The worm terminates processes with any of the following strings in the name:

  • chgservice.exe
  • cmmon32.exe
  • drive32.exe
  • msvmiode.exe
  • recycler
  • rvhost.exe
  • serivces.exe
  • servicers.exe
  • svchos.exe
  • temp
  • tmp
  • undmgr.exe
  • uninstall_.exe
  • usbmngr.exe
  • wudfhost.exe

The following programs are terminated:

  • BILLY.EXE
  • CATCHME.EXE
  • COMBOFIX.EXE
  • HIJACKTHIS.EXE
  • MBAMGUI.EXE
  • MPCMDRUN.EXE
  • MRT.EXE
  • MRTSTUB.EXE
  • MSASCUI.EXE
  • MSMPENG.EXE
  • TCPVIEW.EXE
  • TEATIMER.EXE
  • USBGUARD.EXE

The worm terminates various security related applications.


The worm looks for processes with any of the following strings in their name:

  • prevx
  • k7rtscan
  • ashserv
  • avguard
  • vsserv
  • avg
  • nod32krn
  • ekrn
  • mcshield
  • mbamservice
  • savservice
  • smc
  • rtvscan
  • dwengine
  • drwebcom
  • spidernt
  • spysweeper
  • outpost
  • tmpfw
  • uiWatchDog.exe
  • kpf4
  • cmdagent
  • vsmon
  • sbpflnch
  • acs

The worm may execute the following commands:

  • CMD /C net stop %securityservicename%
  • CMD /C sc stop %securityservicename%
  • CMD /C sc config %securityservicename% start= disabled
  • CMD /C sc delete %securityservicename%

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows NT\­SystemRestore]
    • "DisableConfig" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­MRT]
    • "DontReportInfectionInformation" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center]
    • "AntiVirusOverride" = 1
    • "AntiVirusDisableNotify" = 1
    • "FirewallOverride" = 1
    • "FirewallDisableNotify" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wscsvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­SuperHidden]
    • "CheckedValue" = 1
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2

The worm may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Minimal]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Network]

The worm may execute the following commands:

  • CMD /C del /F /S /Q "C:\­ComboFix.txt"
  • CMD /C attrib -s -h "C:\­ntldr"
  • CMD /C move\­"C:\­\­ntldr\­"\­"C:\­\­dump\­"
  • CMD /C del /F /S /Q "%windir%\­system32\­hal.dll"
  • CMD /C "shutdown -s"

Please enable Javascript to ensure correct displaying of this content and refresh this page.