Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: NT botnet submitted SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
NT botnet submitted
We received copies of malware that are being discussed in public forums, it appears to be (variants of) known botnets. Here's what Norman and virustotal.com had to say about them [sanitized]:

eraseme:

[ General information ]
   * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
   * Anti debug/emulation code present.
   * **Locates window "NULL [class mIRC]" on desktop.
   * File length:        86016 bytes.
   * MD5 hash: 5d8e6f1fc0d5b8e34947241d77c2311c.
[ Changes to filesystem ]
   * Creates file C:\WINDOWS\csrsc.exe.
   * Deletes file c:\sample.exe.
[ Changes to registry ]
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "MeltMe"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Creates key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "ImagePath"=""C:\WINDOWS\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "DisplayName"="Network Gateway Manager" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Deletes value "MeltMe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "Installed Time"="3/6/2006, 1:20 PM" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "WaitToKillServiceTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".
[ Network services ]
   * Looks for an Internet connection.
   * Connects to "[deleted]" on port 1863 (TCP).
   * Sends data stream (30 bytes) to remote address "[deleted]", port 1863.
   * Connects to IRC Server.
[ Process/window information ]
   * Creates service "npx (Network Gateway Manager)" as ""C:\WINDOWS\csrsc.exe"".
   * Attempts to access service "npx".
   * Creates a mutex LOLFOB.
[ Signature Scanning ]
   * C:\WINDOWS\csrsc.exe (86016 bytes) : no signature detection.         

Virustotal:
 AntiVir 6.35.1.11     08.31.2006 Worm/Sdbot.86016.43
 Authentium 4.93.8     08.30.2006 no virus found
 Avast 4.7.844.0       08.31.2006 no virus found
 AVG 386               08.30.2006 IRC/BackDoor.SdBot2.HLZ
 BitDefender 7.2       08.31.2006 GenPack: Generic.Sdbot.4F0C4C47
 CAT-QuickHeal 8.00    08.30.2006 no virus found 
 ClamAV devel-20060426 08.31.2006 no virus found
 DrWeb 4.33            08.31.2006 Win32.HLLW.MyBot
 eTrust-InoculateIT 23.72.111 08.31.2006 no virus found
 eTrust-Vet3 0.3.3052  08.31.2006 no virus found
 Ewido 4.0             08.31.2006 Backdoor.SdBot.anp
 Fortinet 2.77.0.0     08.31.2006 W32/SDBot.AKI!worm
 F-Prot 3.16f          08.30.2006 no virus found
 F-Prot4 4.2.1.29      08.31.2006 no virus found
 Ikarus 0.2.65.0       08.31.2006 no virus found
 Kaspersky 4.0.2.24    08.31.2006 Backdoor.Win32.SdBot.anp
 McAfee 4841           08.30.2006 no virus found
 Microsoft 1.1560      08.31.2006 no virus found
 NOD32 v21.1733        08.31.2006 a variant of IRC/SdBot
 Norman 5.90.23        08.31.2006 W32/Malware
 Panda 9.0.0.4         08.30.2006 no virus found
 Sophos 4.09.0         08.31.2006 no virus found
 Symantec 8.0          08.31.2006 W32.Spybot.Worm
 ... 

csrsc:

Norman:
[ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
   * Anti debug/emulation code present.
   * **Locates window "NULL [class mIRC]" on desktop.
   * File length:        86016 bytes.
   * MD5 hash: 5d8e6f1fc0d5b8e34947241d77c2311c.                               

[ Changes to filesystem ]
   * Creates file C:\WINDOWS\csrsc.exe.
   * Deletes file c:\sample.exe.

[ Changes to registry ]
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "MeltMe"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Creates key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "ImagePath"=""C:\WINDOWS\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "DisplayName"="Network Gateway Manager" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Deletes value "MeltMe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "Installed Time"="3/6/2006, 1:20 PM" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "WaitToKillServiceTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".
   * Modifies value "UpdatesDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "AntiVirusDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "FirewallDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "AntiVirusOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "FirewallOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
   * Sets value "AUOptions"="^A" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
   * Creates key "HKLM\System\CurrentControlSet\Services\wscsvc".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\wscsvc".
   * Creates key "HKLM\System\CurrentControlSet\Services\TlntSvr".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\TlntSvr".
   * Creates key "HKLM\System\CurrentControlSet\Services\RemoteRegistry".
   * Creates key "HKLM\System\CurrentControlSet\Services\Messenger".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\Messenger".
   * Sets value "restrictanonymous"="^A" in key"HKLM\System\CurrentControlSet\Control\Lsa".
   * Creates key"HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Creates key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Creates key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
   * Sets value "DoNotAllowXPSP2"="^A" in key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
   * Creates key "HKLM\Software\Microsoft\OLE".
   * Sets value "EnableDCOM"="N" in key "HKLM\Software\Microsoft\OLE".
   * Sets value "Record"="??^N" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".

[ Network services ]
   * Looks for an Internet connection.
   * Connects to "[DELETED]" on port 1863 (TCP).
   * Sends data stream (30 bytes) to remote address "[DELETED]" port 1863.
   * Connects to IRC Server.
   * IRC: Uses nickname [XP||N|677795].
   * IRC: Uses username XP88038.
   * Opens URL: http://[DELETED]/prxjdg.cgi.
   * Opens URL: http://[DELETED]/x/maxwell/cgi-bin/prxjdg.cgi.
   * Opens URL: http://[DELETED]/mute/c/prxjdg.cgi.
   * Opens URL: http://[DELETED/tomocrus/cgi-bin/check/prxjdg.cgi.
   * Opens URL: http://[DELETED]/cgi-bin/proxy.cgi.
   * Opens URL: http://pDELETED]/little_w/prxjdg.cgi.
   * IRC: Sets the usermode for user [XP||N|677795] to .
   * IRC: Joins channel #NGEN with password [DELETED].

[ Process/window information ]
   * Creates service "npx (Network Gateway Manager)" as ""C:\WINDOWS\csrsc.exe"".
   * Attempts to access service "npx".
   * Creates a mutex LOLFOB.
   * Attempts to access service "Tlntsvr".
   * Attempts to access service "RemoteRegistry".
   * Attempts to access service "Messenger".
   * Attempts to access service "SharedAccess".
   * Attempts to access service "wscsvc".

[ Signature Scanning ]
   * C:\WINDOWS\csrsc.exe (86016 bytes) : no signature detection.

Virustotal:
 Authentium 4.93.8     08.30.2006 no virus found
 Avast 4.7.844.0       08.31.2006 no virus found
 AVG 386               08.30.2006 IRC/BackDoor.SdBot2.HLZ
 BitDefender 7.2       08.31.2006 GenPack: Generic.Sdbot.4F0C4C47
 CAT-QuickHeal 8.00    08.30.2006 no virus found
 ClamAV devel-20060426 08.31.2006 no virus found
 DrWeb 4.33            08.31.2006 Win32.HLLW.MyBot
 eTrust-InoculateIT 23.72.111 08.31.2006 no virus found
 eTrust-Vet 30.3.3052  08.31.2006 no virus found
 Ewido 4.0             08.31.2006 Backdoor.SdBot.anp
 Fortinet2.77.0.0      08.31.2006 W32/SDBot.AKI!worm
 F-Prot 3.16f          08.30.2006 no virus found
 F-Prot4 4.2.1.29      08.31.2006 no virus found
 Ikarus 0.2.65.0       08.31.2006 no virus found
 Kaspersky 4.0.2.24    08.31.2006 Backdoor.Win32.SdBot.anp
 McAfee 4841           08.30.2006 no virus found
 Microsoft 1.1560      08.31.2006 no virus found
 NOD32 v21.1733        08.31.2006 a variant of IRC/SdBot
 Norman 5.90.23        08.31.2006 W32/Malware
 Panda 9.0.0.4         08.30.2006 no virus found
 Sophos 4.09.0         08.31.2006 no virus found
 Symantec 8.0          08.31.2006 W32.Spybot.Worm
 TheHacker 5.9.8.202   08.31.2006 no virus found
 UNA 1.83              08.31.2006 no virus found
 VBA32 3.11.1          08.30.2006 Win32.HLLW.MyBot
 VirusBuster 4.3.7:9   08.30.2006 no virus found

i.exe:

Virustotal:
 AntiVir 6.35.1.11     08.31.2006 Worm/Spybot.1093632
 Authentium 4.93.8     08.30.2006 no virus found
 Avast 4.7.844.0       08.31.2006 no virus found
 AVG 386               08.30.2006 IRC/BackDoor.SdBot2.HLY
 BitDefender 7.2       08.31.2006 Win32.Worm.Tilebot.GM
 CAT-QuickHeal 8.00    08.30.2006 no virus found
 ClamAV devel-20060426 08.31.2006 no virus found
 DrWeb 4.33            08.31.2006 Win32.HLLW.MyBot
 eTrust-InoculateIT 23.72.111 08.31.2006 Win32/SDBOT.AQJ!Worm
 eTrust-Vet 30.3.3052  08.31.2006 Win32/Petribot.XM
 Ewido 4.0             08.31.2006 Backdoor.SdBot.aqj
 Fortinet 2.77.0.0     08.31.2006 W32/Tilebot.AQJ!worm
 F-Prot 3.16f          08.30.2006 no virus found
 F-Prot4 4.2.1.29      08.31.2006 no virus found
 Ikarus 0.2.65.0       08.31.2006 Backdoor.Win32.SdBot.aqi
 Kaspersky 4.0.2.24    08.31.2006 Backdoor.Win32.SdBot.aqj
 McAfee 4841           08.30.2006 W32/Spybot.worm.gen.p
 Microsoft 1.1560      08.31.2006 Backdoor:Win32/Rbot!02A6
 NOD32 v21.1733        08.31.2006 IRC/SdBot
 Norman 5.90.23        08.31.2006 W32/Spybot.AXGM
 Panda 9.0.0.4         08.30.2006 W32/Sdbot.IAZ.worm
 Sophos 4.09.0         08.31.2006 W32/Tilebot-GM
 Symantec 8.0          08.31.2006 W32.Spybot.AKNO
 TheHacker 5.9.8.202   08.31.2006 no virus found
 UNA 1.83              08.31.2006 Backdoor.SdBot.8
 VBA32 3.11.1          08.30.2006 Win32.HLLW.MyBot
 VirusBuster 4.3.7:9   08.30.2006 no virus found

Reading up on what the antivirus community has written about these they seem to attack  through so many vectors that it's likely they affect poorly patched systems (and NT or any other legacy windows version would make a prime target).

--
Swa Frantzen -- Section66.com

 Swa

760 Posts
Subscribe Aug 31st 2006
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!