Browse archive

Latest news

Fighting cybercrime is on the right track

Google set to upgrade its SSL certs

IT security pros have trouble communicating with executives

Zeus variants are back with a vengeance

Facebook phishers target Fan Pages owners

Killer apps: The performance of networked applications

Is it time to professionalize information security?

Google researcher reveals another Windows 0-day

Twitter finally offers 2-factor authentication

DHS employees' info possibly compromised due to system flaw

Teens are into online sharing, but are also more privacy-aware

The dangers of downloading software from unofficial sites

Microsoft decrypts Skype comms to detect malicious links

Review: Logging and Log Management

Hacking charge stations for electric cars

Backdoor.K0wbot Analysis

Posted on 03.07.2002

Virus analyzed by:
Bogdan Dragu
BitDefender Virus Researcher
http://www.bitdefender.com

HNS Note: BitDefender released Anti K0wbot program that finds and removes this virus. Our mirrored copy can be downloaded from here: http://www.net-security.org/software.php?id=185

Name: Backdoor.K0wbot.1.2 / 1.3.A / 1.3.B
Aliases: W32.Kwbot.Worm
Type: Worm & Backdoor
Size: ~19 KB
Discovered: 17-26 June 2002
Detected: 17-26 June 2002 (GMT+2)
Spreading: High
Damage: Low
ITW: Yes
Symptoms:

- the file explorer32.exe in the Windows System folder;
- the "Windows Explorer Update Build 1142" registry entries in the registry keys HKLMSoftwareMicrosoftWindowsCurrentVersionRun and HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices; the value of the entries is "explorer32";
- a lot of copies of the virus (with different names, but all aprox. 19 KB in size) in the KaZaA shared folder - usually "C:Program FilesKaZaAMy Shared Folder".

Technical description:

This is another Internet worm that uses the popular file sharing KaZaA network to spread; besides this, it includes an IRC remote control backdoor component. It is written in C and the executable is compressed and crypted; it also uses some protection techniques to make reverse-engineering difficult.

When run, the virus copies itself as explorer32.exe in the Windows System folder and registers this copy to be run at every Windows start-up by creating the registry entries described above.

The virus creates a temporary file (c:moo.reg) that is used to set the value of the registry entry HKEY_CURRENT_USERSoftwareKazaaLocalContentDisableSharing to 0 (in order to enable sharing of KaZaA files). The virus makes aprox. 150 copies of itself in the KaZaA shared folder, using the names of appealing software/media files:

The backdoor component connects to an IRC (Internet Relay Chat) server and allows remote control of the infected computer (after a password authentification), including the ability to perform the following actions on the "victim" computer:

- updating the virus by downloading a newer version;
- reporting information about the infected system (CPU speed, memory, operating system version, uptime, Internet connection type, local IP address etc.);
- reporting installed software (by sending the file c:moo.txt which lists the subfolders of the Program Files folder);
- performing different IRC commands, including flooding of other users of the chat server.

Manual Removal:

Remove (using REGEDIT) the registry entries described in the Symptoms section and delete the file "explorer32.exe" in the Windows System folder, then restart the computer. You should also delete all the copies of the virus in the KaZaA shared folder.