Backdoor.K0wbot Analysis
Posted on 03.07.2002
Virus analyzed by:
Bogdan Dragu
BitDefender Virus Researcher

HNS Note: BitDefender released Anti K0wbot program that finds and removes this virus. Our mirrored copy can be downloaded from here:

Name: Backdoor.K0wbot.1.2 / 1.3.A / 1.3.B
Aliases: W32.Kwbot.Worm
Type: Worm & Backdoor
Size: ~19 KB
Discovered: 17-26 June 2002
Detected: 17-26 June 2002 (GMT+2)
Spreading: High
Damage: Low
ITW: Yes

- the file explorer32.exe in the Windows System folder;
- the "Windows Explorer Update Build 1142" registry entries in the registry keys HKLMSoftwareMicrosoftWindowsCurrentVersionRun and HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices; the value of the entries is "explorer32";
- a lot of copies of the virus (with different names, but all aprox. 19 KB in size) in the KaZaA shared folder - usually "C:Program FilesKaZaAMy Shared Folder".

Technical description:

This is another Internet worm that uses the popular file sharing KaZaA network to spread; besides this, it includes an IRC remote control backdoor component. It is written in C and the executable is compressed and crypted; it also uses some protection techniques to make reverse-engineering difficult.

When run, the virus copies itself as explorer32.exe in the Windows System folder and registers this copy to be run at every Windows start-up by creating the registry entries described above.

The virus creates a temporary file (c:moo.reg) that is used to set the value of the registry entry HKEY_CURRENT_USERSoftwareKazaaLocalContentDisableSharing to 0 (in order to enable sharing of KaZaA files). The virus makes aprox. 150 copies of itself in the KaZaA shared folder, using the names of appealing software/media files:

The backdoor component connects to an IRC (Internet Relay Chat) server and allows remote control of the infected computer (after a password authentification), including the ability to perform the following actions on the "victim" computer:

- updating the virus by downloading a newer version;
- reporting information about the infected system (CPU speed, memory, operating system version, uptime, Internet connection type, local IP address etc.);
- reporting installed software (by sending the file c:moo.txt which lists the subfolders of the Program Files folder);
- performing different IRC commands, including flooding of other users of the chat server.

Manual Removal:

Remove (using REGEDIT) the registry entries described in the Symptoms section and delete the file "explorer32.exe" in the Windows System folder, then restart the computer. You should also delete all the copies of the virus in the KaZaA shared folder.


Pen-testing drone searches for unsecured devices

You're sitting in an office, and you send a print job to the main office printer. You see or hear a drone flying outside your window. Next thing you know, the printer buzzes to life and, after spitting out your print job, it continues to work and presents you with more filled pages than you expected.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Oct 9th