Analysis by: Jaime Benigno Reyes
ALIASES:

Worm:Win32/Slenfbot.gen!D (Microsoft), W32/Sdbot.worm!mj (McAfee)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size: 136,704 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 15 Nov 2012

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %System%\igfxtd86.exe (with Admin Rights)
  • %User Profile%\Network\igfxtd86.exe (without Admin Rights)

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It creates the following folders:

  • %User Profile%\Network (without Admin Rights)

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It executes then deletes itself afterward.

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Intel Data Manager = "%System%\igfxtd86.exe" (with Admin Rights)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Intel Data Manager = "%User Profile%\Network\igfxtd86.exe" (without Admin Rights)

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags (with Admin Rights)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers (with Admin Rights)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags (without Admin Rights)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers (without Admin Rights)

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
%System%\igfxtd86.exe = "DisableNXShowUI" (with Admin Rights)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
%System%\igfxtd86.exe = "%System%\igfxtd86.exe:*:Enabled:Intel Data Manager" (with Admin Rights)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\igfxtd86.exe = "%System%\igfxctd86.exe:*:Enabled:Intel Data Manager" (with Admin Rights)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
%User Profile%\Network\igfxtd86.exe = "DisableNXShowUI" (without Admin Rights)

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
%User Profile%\Network\igfxtd86.exe = "%User Profile%\Network\igfxtd86.exe:*:Enabled:Intel Data Manager" (without Admin Rights)

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%User Profile%\Network\igfxtd86.exe = "%User Profile%\Network\igfxtd86.exe:*:Enabled:Intel Data Manager" (without Admin Rights)

Propagation

This worm creates the following folders in all removable drives:

  • {drive letter}:\Mount.{645FF040-5081-101B-9F08-00AA002F954E}

It drops the following copy(ies) of itself in all removable drives:

  • {drive letter}:\Mount.{645FF040-5081-101B-9F08-00AA002F954E}\mount-bootrom-x21859.sys

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

;{garbage characters}
[Autorun]
;{garbage characters}
open=CMD /C START Mount.{645FF040-5081-101B-9F08-00AA002F954E}\mount-bootrom-x21859.sys
;{garbage characters}
icon=%windir%\system32\shell32.dll,3
;{garbage characters}
action=Browse the contents of the drive.
;{garbage characters}
shell\open=Open
;{garbage characters}
shell\open\command=CMD /C START Mount.{645FF040-5081-101B-9F08-00AA002F954E}\mount-bootrom-x21859.sys
;{garbage characters}
shell\open\default=1
;{garbage characters}
shell\explore=Explore
;{garbage characters}
shell\explore\command=CMD /C START Mount.{645FF040-5081-101B-9F08-00AA002F954E}\mount-bootrom-x21859.sys
;{garbage characters}
shell\search=Search...
;{garbage characters}
shell\search\command=CMD /C START Mount.{645FF040-5081-101B-9F08-00AA002F954E}\mount-bootrom-x21859.sys
;{garbage characters}
useautoplay=1
;{garbage characters}

Other Details

This worm connects to the following possibly malicious URL:

  • {BLOCKED}3.bull-quantum-media.su
  • {BLOCKED}7.bull-quantum-media.su
  • {BLOCKED}0.bull-quantum-media.su
  • {BLOCKED}9.coax-quantum-media.su
  • {BLOCKED}2.coax-quantum-media.su
  • {BLOCKED}5.coax-quantum-media.su