Backdoor.K0wbot Analysis
Posted on 03.07.2002
Virus analyzed by:
Bogdan Dragu
BitDefender Virus Researcher
http://www.bitdefender.com

HNS Note: BitDefender released Anti K0wbot program that finds and removes this virus. Our mirrored copy can be downloaded from here: http://www.net-security.org/software.php?id=185

Name: Backdoor.K0wbot.1.2 / 1.3.A / 1.3.B
Aliases: W32.Kwbot.Worm
Type: Worm & Backdoor
Size: ~19 KB
Discovered: 17-26 June 2002
Detected: 17-26 June 2002 (GMT+2)
Spreading: High
Damage: Low
ITW: Yes
Symptoms:

- the file explorer32.exe in the Windows System folder;
- the "Windows Explorer Update Build 1142" registry entries in the registry keys HKLMSoftwareMicrosoftWindowsCurrentVersionRun and HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices; the value of the entries is "explorer32";
- a lot of copies of the virus (with different names, but all aprox. 19 KB in size) in the KaZaA shared folder - usually "C:Program FilesKaZaAMy Shared Folder".

Technical description:

This is another Internet worm that uses the popular file sharing KaZaA network to spread; besides this, it includes an IRC remote control backdoor component. It is written in C and the executable is compressed and crypted; it also uses some protection techniques to make reverse-engineering difficult.

When run, the virus copies itself as explorer32.exe in the Windows System folder and registers this copy to be run at every Windows start-up by creating the registry entries described above.

The virus creates a temporary file (c:moo.reg) that is used to set the value of the registry entry HKEY_CURRENT_USERSoftwareKazaaLocalContentDisableSharing to 0 (in order to enable sharing of KaZaA files). The virus makes aprox. 150 copies of itself in the KaZaA shared folder, using the names of appealing software/media files:



The backdoor component connects to an IRC (Internet Relay Chat) server and allows remote control of the infected computer (after a password authentification), including the ability to perform the following actions on the "victim" computer:

- updating the virus by downloading a newer version;
- reporting information about the infected system (CPU speed, memory, operating system version, uptime, Internet connection type, local IP address etc.);
- reporting installed software (by sending the file c:moo.txt which lists the subfolders of the Program Files folder);
- performing different IRC commands, including flooding of other users of the chat server.

Manual Removal:

Remove (using REGEDIT) the registry entries described in the Symptoms section and delete the file "explorer32.exe" in the Windows System folder, then restart the computer. You should also delete all the copies of the virus in the KaZaA shared folder.





Spotlight

USBdriveby: Compromising computers with a $20 microcontroller

Posted on 19 December 2014.  |  Security researcher Samy Kamkar has devised a fast and easy way to compromise an unlocked computer and open a backdoor on it: a simple and cheap ($20) pre-programmed Teensy microcontroller.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Dec 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //