WORM_SLENBOT.LFM

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It connects to Internet Relay Chat (IRC) servers. It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This worm arrives via removable drives.

It may arrive via network shares.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\wmpkh32.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• S3xY!

It injects threads into the following normal process(es):

• explorer.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
WinMedia Server = "%System%\wmpkh32.exe"

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
%System%\wmpkh32.exe = "DisableNXShowUI"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
%System%\wmpkh32.exe = "%System%\wmpkh32.exe:*:Enabled:WinMedia Server"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\wmpkh32.exe = "%System%\wmpkh32.exe:*:Enabled:WinMedia Server

Propagation

This worm creates the following folders in all removable drives:

• DrvInf.{random CLSID}

It drops copies of itself in network drives such as the following:

• {Network Drive}:\DrvInf.{random CLSID}\drvinf-x{random numbers}.core

It drops the following copy(ies) of itself in all removable drives:

• {Removable Drive}:\DrvInf.{random CLSID}\drvinf-x{random numbers}.core

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

;{garbage characters}
[Autorun]
;{garbage characters}
open=CMD /C START DrvInf.{random CLSID}\drvinf-x{random numbers}.core
;{garbage characters}
icon=%windir%\system32\SHELL32.dll,3
;{garbage characters}
action=Open drive to browse contents.
;{garbage characters}
shell\open=Open
;{garbage characters}
shell\open\command=CMD /C START DrvInf.{random CLSID}\drvinf-x{random numbers}.core
;{garbage characters}
shell\open\default=1
;{garbage characters}
useautoplay=1
;{garbage characters}

Backdoor Routine

This worm connects to any of the following Internet Relay Chat (IRC) servers:

• s27.{BLOCKED}ids.su

It joins any of the following IRC channel(s):

• ##ops

It executes the following commands from a remote malicious user:

• Download and execute files
• Scan ports
• Send instant messages
• Update itself

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

• TEATIMER.EXE
• MRT.EXE
• MRTSTUB.EXE
• TCPVIEW.EXE
• HIJACKTHIS.EXE
• MSMPENG.EXE
• MSASCUI.EXE
• MPCMDRUN.EXE
• USBGUARD.EXE
• BILLY.EXE
• AADRIVE32.EXE

Download Routine

This worm downloads updated copies of itself from the following websites:

• http://vps318.{BLOCKED}ackupsvc.su/net/3x1.zip
• http://vps490.{BLOCKED}ackupsvc.su/net/3x1.zip

NOTES:

It terminates itself if any of the following conditions are satisfied:

• if the worm path contains any of the following strings:
  • malware
  • sample
  • sand-box
  • sandbox
  • test
  • virus
• if computer name contains any of the following strings:
  • DELL-D3E62F7E26
  • HOME-OFF-D5F0AC
  • KAKAPROU-6405DA
  • Malekal
  • MORTE
  • VMG-CLIENT
• if user name contains any of the following strings:
  • DELL-D3E62F7E26
  • HOME-OFF-D5F0AC
  • KAKAPROU-6405DA
  • klasnich
  • Malekal
  • MORTE
  • VMG-CLIENT
• if it is running on virtual machine. It checks if the data under the registry entry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 contains any of the following strings:
  • QEMU
  • VBox
  • Virtual
  • VMWare
• if running processes contain any of the following strings:
  • cports.exe
  • dumpcap.exe
  • filemon.exe
  • procdump.exe
  • procexp.exe
  • procmon.exe
  • regmon.exe
  • regshot.exe
  • sbiectrl.exe
  • squid.exe
  • tcpview
  • vbox
  • vmsrvc
  • VMware_&Prod_VMware_Virtual_S&Re
  • vmware
  • wireshark.exe
• if a window exists that contains any of the following ClassName, WindowName pairs:
  • #32770, Regshot 1.8.2
  • CNetmonMainFrame, Microsoft Network Monitor 3.3
  • CurrPorts, CurrPorts
  • gdkWindowToplevel, The Wireshark Network Analyzer
  • PROCEXPL, 0
  • PROCMON_WINDOW_CLASS, Process Monitor - Sysinternals: www.sysinternals.com
  • SmartSniff, SmartSniff
  • TCPViewClass, 0
• if any of the following files exist in the %Program Files% folder:
  • Ethereal\ethereal.html
  • Microsoft Network Monitor 3\netmon.exe
  • WinPcap\rpcapd.exe
  • WireShark\rawshark.exe

It connects to its IRC server to send and receive commands from remote malicious user

It uses the following credentials when logging into its IRC server:
USER: SPX
NICK: {country}|X-714|0|{OS}|{number}
PASSWORD: 3v1l$