WORM_SLENFBOT.DF


 ALIASES:

Worm:Win32/Slenfbot.gen!D (Microsoft), BackDoor-FGA (McAfee), W32.IRCBot.NG (Symantec), Worm/Slenfbot.avdma (Antivir), W32/Slenfbot.II!tr (Fortinet), Worm.Win32.Slenfbot (Ikarus), Win32/Injector.SEF trojan (NOD32), Trojan.Jorik.IRCbot.mlj (VBA32)

 PLATFORM:

Windows 2000, Windows XP (32-bit and 64-bit), Windows Server 2003, Windows Vista (32-bit and 64-bit), Windows 7 (32-bit and 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via removable drives, Downloaded from the Internet, Dropped by other malware

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It executes commands from a remote malicious user, effectively compromising the affected system.

As of this writing, the said sites are inaccessible.

It deletes the initially executed copy of itself.

  TECHNICAL DETAILS

File Size:

251,392 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

09 Jan 2013

Payload:

Compromises system security, Connects to URLs/IPs, Terminates processes, Downloads files

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %System%\wmpsh32.exe (with Admin Rights in 32-bit)
  • %Windows%\SysWow64\wmpsh32.exe (with Admin Rights in 64-bit)
  • %User Profile%\Network\wmpsh32.exe (without Admin Rights)

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

  • %User Profile%\Network - (without Admin Rights)

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • v8x

It injects codes into the following process(es):

  • explorer.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Media Content Sharing = "%System%\wmpsh32.exe" (with Admin Rights in 32-bit)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Media Content Sharing = "%User Profile%\Network\wmpsh32.exe" (without Admin Rights)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Media Content Sharing = "%Windows%\SysWow64\wmpsh32.exe" (with Admin Rights in 64-bit)

Other System Modifications

This worm adds the following registry entries:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
%User Profile%\Network\wmpsh32.exe = "DisableNXShowUI" (without Admin Rights)

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%User Profile%\Network\wmpsh32.exe = "%User Profile%\Network\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (without Admin Rights)

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
%User Profile%\Network\wmpsh32.exe = "%User Profile%\Network\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (without Admin Rights)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
%System%\wmpsh32.exe = "DisableNXShowUI" (with Admin Rights in 32-bit)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\wmpsh32.exe = "%System%\wmpsh32.exe:*:Enabled:Windows Media ContentSharing" (with Admin Rights in 32-bit)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
%System%\wmpsh32.exe = "%System%\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (with Admin Rights in 32-bit)

HKLM\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
%Windows%\SysWow64\wmpsh32.exe = "DisableNXShowUI" (with Admin Rights in 64-bit)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\SysWow64\wmpsh32.exe = "%Windows%\SysWow64\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (with Admin Rights in 64-bit)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
%Windows%\SysWow64\wmpsh32.exe = "%Windows%\SysWow64\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (with Admin Rights in 64-bit)

Propagation

This worm creates the following folders in all removable drives:

  • {removable drive}:\~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}

It drops the following copy(ies) of itself in all removable drives:

  • {removable drive}:\~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmon-t829058.xtc

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

;garbage characters
[Autorun]
;garbage characters
open=CMD /C START ~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmon-t829058.xtc
;garbage characters
icon=%windir%\system32\SHELL32.dll,3
;garbage characters
action=Open device to locate files.
;garbage characters
shell\open=Open
;garbage characters
shell\open\command=CMD /C START ~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmon-t829058.xtc
;garbage characters
shell\open\default=1
;garbage characters
shell\explore=Explore
;garbage characters
shell\explore\command=CMD /C START ~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmon-t829058.xtc
;garbage characters
shell\search=Search...
;garbage characters
shell\search\command=CMD /C START ~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmon-t829058.xtc
;garbage characters
useautoplay=1
;garbage characters

Backdoor Routine

This worm connects to any of the following IRC server(s):

  • {BLOCKED}-0.level4-co2-as30938.su
  • {BLOCKED}0.level4-co1-as30912.su
  • {BLOCKED-0.level4-co1-as30912.su
  • {BLOCKED}0.level4-co2-as30938.su

It joins any of the following IRC channel(s):

  • ##net

It executes the following commands from a remote malicious user:

  • Download and execute arbitrary files
  • Update Itself
  • Scan Local Area Network
  • Send IM Spam
  • Visit certain URLs
  • Join and leave IRC channels

Process Termination

This worm terminates the following services if found on the affected system:

  • nod32krn
  • ekrn
  • SCFService.exe
  • outpost
  • tmpfw
  • kpf4
  • cmdagent
  • vsmon
  • sbpflnch
  • acs

It terminates the following processes if found running in the affected system's memory:

  • TEATIMER.EXE
  • MRT.EXE
  • MRTSTUB.EXE
  • HIJACKTHIS.EXE
  • TCPVIEW.EXE
  • USBGUARD.EXE
  • BILLY.EXE
  • EGUI.EXE

Download Routine

This worm accesses the following websites to download files:

  • http://{BLOCKED}-0.level5-co1-as30954.su/css/.u/0x2f.zip - updated copy of itself

As of this writing, the said sites are inaccessible.

Other Details

This worm deletes the initially executed copy of itself

It terminates itself if any of the following file(s) are present:

  • %Program Files%\Ethereal\ethereal.html
  • %Program Files%\Microsoft Network Monitor 3\netmon.exe
  • %Program Files%\WinPcap\rpcapd.exe
  • %Program Files%\Wireshark\rawshark.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It terminates itself if windows or classes contain any of the following string(s):

  • gdkWindowToplevel, The Wireshark Network Analyzer
  • CNetmonMainFrame, Microsoft Network Monitor 3.3
  • SmartSniff, SmartSniff
  • CurrPorts,CurrPorts
  • TCPViewClass, NULL
  • PROCMON_WINDOW_CLASS, Process Monitor - Sysinternals: www.sysinternals.com
  • #32770, Regshot 1.8.2
  • PROCEXPL, NULL

It terminates itself if any of the following user name(s) are found in the affected system:

  • VMG-Client
  • Malekal
  • Mak
  • HOME-OFF-D5F0AC
  • DELL-D3E62F7E26
  • KAKAPROU-6405DA
  • klasnich

It terminates itself if any of the following computer name(s) are found in the affected system:

  • VMG-Client
  • Malekal
  • MAKKK
  • HOME-OFF-D5F0AC
  • DELL-D3E62F7E26
  • KAKAPROU-6405DA

It uses the following credentials when accessing its IRC server:

  • PASSWORD su1c1d3
  • NICK {Counry}|X-471|0|{OS}|{number}
  • USER XP-SPX {Counry}|X-471|0|{OS}|{number} {Counry}|X-471|0|{OS}|{number} :{Computer Name}

NOTES:

This worm terminates and deletes itself if file path and name of the malware contains any of the following strings:

  • sample
  • virus
  • sand-box
  • sandbox
  • malware
  • heuristic
  • virussign.com
  • maxtemp
  • test

This worm enumerates entries from the following registry and check for the following virtual environment:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum
Vmware
Vbox
QEMU

It checks if it is running in a malware simulation environment by checking if any of the following processes is running:

  • vbox
  • vmsrvc
  • syssafe
  • vmware
  • tcpview
  • wireshark.exe
  • regshot.exe
  • procmon.exe
  • filemon.exe
  • regmon.exe
  • procdump.exe
  • cports.exe
  • procexp.exe
  • squid.exe
  • dumpcap.exe
  • sbiectrl.exe

It sleeps indefinitely when the following mutex is present:

  • muipcdraotse

It creates and releases the following mutex, respectively before and after it send data to its IRC server:

  • send

It attemps to download an updated copy of itself to be used in its propagation. If it fails to do so, it just uses the current copy of itself.

It can also use the following file names for propagation and can be found in {drive letter}:\RECYCLER:

  • zaberg.exe
  • woot.exe
  • nxqd.exe
  • ecleaner.exe
  • drive32.exe
  • msvmiode.exe
  • rvhost.exe
  • wudfhost.exe
  • svchos.exe
  • servicers.exe
  • uninstall_.exe
  • undmgr.exe
  • chgservice.exe
  • iexplorer.exe
  • usbmngr.exe
  • serivces.exe
  • cmmon32.exe

It accesses the following URLs to retrieve encypted backdoor commands:

  • http://{BLOCKED}.{BLOCKED}.53.179/ip/0x2f.txt
  • http://{BLOCKED}.{BLOCKED}.237.50/aspnet_client/ip/0x2f.txt
  • http://{BLOCKED}.{BLOCKED}.213.67/awstats/rdat02.txt

It deletes all the files in C:\RECYCLER folder

The files that it deletes may be from the Recycle Bin or other malware which may be an old version of itself or those from other malware family. There is no need to restore these files.

  SOLUTION

Minimum Scan Engine:

9.300

FIRST VSAPI PATTERN FILE:

9.646.02

FIRST VSAPI PATTERN DATE:

09 Jan 2013

VSAPI OPR PATTERN File:

9.647.00

VSAPI OPR PATTERN Date:

10 Jan 2013

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Identify and delete files detected as WORM_SLENFBOT.DF using the Recovery Console

[ Learn More ]

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    • Windows Media Content Sharing = "%System%\wmpsh32.exe" (with Admin Rights in 32-bit)
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    • Windows Media Content Sharing = "%Windows%\SysWow64\wmpsh32.exe" (with Admin Rights in 64-bit)
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Windows Media Content Sharing = "%User Profile%\Network\wmpsh32.exe" (without Admin Rights)
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
    • %System%\wmpsh32.exe = "DisableNXShowUI" (with Admin Rights in 32-bit)
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • %System%\wmpsh32.exe = "%System%\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (with Admin Rights in 32-bit)
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    • %System%\wmpsh32.exe = "%System%\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (with Admin Rights in 32-bit)
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
    • %Windows%\SysWow64\wmpsh32.exe = "DisableNXShowUI" (with Admin Rights in 64-bit)
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • %Windows%\SysWow64\wmpsh32.exe = "%Windows%\SysWow64\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (with Admin Rights in 64-bit)
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    • %Windows%\SysWow64\wmpsh32.exe = "%Windows%\SysWow64\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (with Admin Rights in 64-bit)
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
    • %User Profile%\Network\wmpsh32.exe = "DisableNXShowUI" (without Admin Rights)
  • In HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • %User Profile%\Network\wmpsh32.exe = "%User Profile%\Network\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (without Admin Rights)
  • In HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    • %User Profile%\Network\wmpsh32.exe = "%User Profile%\Network\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (without Admin Rights)

Step 4

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %User Profile%\Network
  • {removable drive}:\~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}
  • {removable drive}:\RECYCLER

Step 5

Search and delete AUTORUN.INF files created by WORM_SLENFBOT.DF that contain these strings

[ Learn More ]
;garbage characters
[Autorun]
;garbage characters
open=CMD /C START ~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmon-t829058.xtc
;garbage characters
icon=%windir%\system32\SHELL32.dll,3
;garbage characters
action=Open device to locate files.
;garbage characters
shell\open=Open
;garbage characters
shell\open\command=CMD /C START ~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmon-t829058.xtc
;garbage characters
shell\open\default=1
;garbage characters
shell\explore=Explore
;garbage characters
shell\explore\command=CMD /C START ~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmon-t829058.xtc
;garbage characters
shell\search=Search...
;garbage characters
shell\search\command=CMD /C START ~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmon-t829058.xtc
;garbage characters
useautoplay=1
;garbage characters

Step 6

Scan your computer with your Trend Micro product to delete files detected as WORM_SLENFBOT.DF. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.