WORM_SLENFBOT.DF

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It executes commands from a remote malicious user, effectively compromising the affected system.

As of this writing, the said sites are inaccessible.

It deletes the initially executed copy of itself.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\wmpsh32.exe (with Admin Rights in 32-bit)
• %Windows%\SysWow64\wmpsh32.exe (with Admin Rights in 64-bit)
• %User Profile%\Network\wmpsh32.exe (without Admin Rights)

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

• %User Profile%\Network - (without Admin Rights)

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• v8x

It injects codes into the following process(es):

• explorer.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Media Content Sharing = "%System%\wmpsh32.exe" (with Admin Rights in 32-bit)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Media Content Sharing = "%User Profile%\Network\wmpsh32.exe" (without Admin Rights)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Media Content Sharing = "%Windows%\SysWow64\wmpsh32.exe" (with Admin Rights in 64-bit)

Other System Modifications

This worm adds the following registry entries:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
%User Profile%\Network\wmpsh32.exe = "DisableNXShowUI" (without Admin Rights)

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%User Profile%\Network\wmpsh32.exe = "%User Profile%\Network\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (without Admin Rights)

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
%User Profile%\Network\wmpsh32.exe = "%User Profile%\Network\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (without Admin Rights)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
%System%\wmpsh32.exe = "DisableNXShowUI" (with Admin Rights in 32-bit)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\wmpsh32.exe = "%System%\wmpsh32.exe:*:Enabled:Windows Media ContentSharing" (with Admin Rights in 32-bit)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
%System%\wmpsh32.exe = "%System%\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (with Admin Rights in 32-bit)

HKLM\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
%Windows%\SysWow64\wmpsh32.exe = "DisableNXShowUI" (with Admin Rights in 64-bit)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\SysWow64\wmpsh32.exe = "%Windows%\SysWow64\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (with Admin Rights in 64-bit)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
%Windows%\SysWow64\wmpsh32.exe = "%Windows%\SysWow64\wmpsh32.exe:*:Enabled:Windows Media Content Sharing" (with Admin Rights in 64-bit)

Propagation

This worm creates the following folders in all removable drives:

• {removable drive}:\~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}

It drops the following copy(ies) of itself in all removable drives:

• {removable drive}:\~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmon-t829058.xtc

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

;garbage characters
[Autorun]
;garbage characters
open=CMD /C START ~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmon-t829058.xtc
;garbage characters
icon=%windir%\system32\SHELL32.dll,3
;garbage characters
action=Open device to locate files.
;garbage characters
shell\open=Open
;garbage characters
shell\open\command=CMD /C START ~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmon-t829058.xtc
;garbage characters
shell\open\default=1
;garbage characters
shell\explore=Explore
;garbage characters
shell\explore\command=CMD /C START ~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmon-t829058.xtc
;garbage characters
shell\search=Search...
;garbage characters
shell\search\command=CMD /C START ~TmpMon.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmon-t829058.xtc
;garbage characters
useautoplay=1
;garbage characters

Backdoor Routine

This worm connects to any of the following IRC server(s):

• {BLOCKED}-0.level4-co2-as30938.su
• {BLOCKED}0.level4-co1-as30912.su
• {BLOCKED-0.level4-co1-as30912.su
• {BLOCKED}0.level4-co2-as30938.su

It joins any of the following IRC channel(s):

• ##net

It executes the following commands from a remote malicious user:

• Download and execute arbitrary files
• Update Itself
• Scan Local Area Network
• Send IM Spam
• Visit certain URLs
• Join and leave IRC channels

Process Termination

This worm terminates the following services if found on the affected system:

• nod32krn
• ekrn
• SCFService.exe
• outpost
• tmpfw
• kpf4
• cmdagent
• vsmon
• sbpflnch
• acs

It terminates the following processes if found running in the affected system's memory:

• TEATIMER.EXE
• MRT.EXE
• MRTSTUB.EXE
• HIJACKTHIS.EXE
• TCPVIEW.EXE
• USBGUARD.EXE
• BILLY.EXE
• EGUI.EXE

Download Routine

This worm accesses the following websites to download files:

• http://{BLOCKED}-0.level5-co1-as30954.su/css/.u/0x2f.zip - updated copy of itself

As of this writing, the said sites are inaccessible.

Other Details

This worm deletes the initially executed copy of itself

It terminates itself if any of the following file(s) are present:

• %Program Files%\Ethereal\ethereal.html
• %Program Files%\Microsoft Network Monitor 3\netmon.exe
• %Program Files%\WinPcap\rpcapd.exe
• %Program Files%\Wireshark\rawshark.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It terminates itself if windows or classes contain any of the following string(s):

• gdkWindowToplevel, The Wireshark Network Analyzer
• CNetmonMainFrame, Microsoft Network Monitor 3.3
• SmartSniff, SmartSniff
• CurrPorts,CurrPorts
• TCPViewClass, NULL
• PROCMON_WINDOW_CLASS, Process Monitor - Sysinternals: www.sysinternals.com
• #32770, Regshot 1.8.2
• PROCEXPL, NULL

It terminates itself if any of the following user name(s) are found in the affected system:

• VMG-Client
• Malekal
• Mak
• HOME-OFF-D5F0AC
• DELL-D3E62F7E26
• KAKAPROU-6405DA
• klasnich

It terminates itself if any of the following computer name(s) are found in the affected system:

• VMG-Client
• Malekal
• MAKKK
• HOME-OFF-D5F0AC
• DELL-D3E62F7E26
• KAKAPROU-6405DA

It uses the following credentials when accessing its IRC server:

• PASSWORD su1c1d3
• NICK {Counry}|X-471|0|{OS}|{number}
• USER XP-SPX {Counry}|X-471|0|{OS}|{number} {Counry}|X-471|0|{OS}|{number} :{Computer Name}

NOTES:

This worm terminates and deletes itself if file path and name of the malware contains any of the following strings:

• sample
• virus
• sand-box
• sandbox
• malware
• heuristic
• virussign.com
• maxtemp
• test

This worm enumerates entries from the following registry and check for the following virtual environment:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum
Vmware
Vbox
QEMU

It checks if it is running in a malware simulation environment by checking if any of the following processes is running:

• vbox
• vmsrvc
• syssafe
• vmware
• tcpview
• wireshark.exe
• regshot.exe
• procmon.exe
• filemon.exe
• regmon.exe
• procdump.exe
• cports.exe
• procexp.exe
• squid.exe
• dumpcap.exe
• sbiectrl.exe

It sleeps indefinitely when the following mutex is present:

• muipcdraotse

It creates and releases the following mutex, respectively before and after it send data to its IRC server:

• send

It attemps to download an updated copy of itself to be used in its propagation. If it fails to do so, it just uses the current copy of itself.

It can also use the following file names for propagation and can be found in {drive letter}:\RECYCLER:

• zaberg.exe
• woot.exe
• nxqd.exe
• ecleaner.exe
• drive32.exe
• msvmiode.exe
• rvhost.exe
• wudfhost.exe
• svchos.exe
• servicers.exe
• uninstall_.exe
• undmgr.exe
• chgservice.exe
• iexplorer.exe
• usbmngr.exe
• serivces.exe
• cmmon32.exe

It accesses the following URLs to retrieve encypted backdoor commands:

• http://{BLOCKED}.{BLOCKED}.53.179/ip/0x2f.txt
• http://{BLOCKED}.{BLOCKED}.237.50/aspnet_client/ip/0x2f.txt
• http://{BLOCKED}.{BLOCKED}.213.67/awstats/rdat02.txt

It deletes all the files in C:\RECYCLER folder

The files that it deletes may be from the Recycle Bin or other malware which may be an old version of itself or those from other malware family. There is no need to restore these files.