Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bozori

   
Aliases:

W32/Bozori.D (Norman), W32/Bozori.worm.d (McAfee), W32.Zotob.H (Symantec), Net-Worm.Win32.Bozori.d (Kaspersky)

Type: Worm
Affect: 32-bit Windows

 

Summary:

Win32/Bozori is a 10878 byte worm with IRC Bot components that takes advantage of the PnP vulnerability for spreading. The worm is runtime protected by Yoda and packed by UPX.

Installation and Autostart Techniques:

Upon execution, the worm copies itself into the "%System%" folder as
"wintnpx.exe". The worm deletes the origin file after a successful copy process.

***Note: %System% denotes the Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.***

Win32/Bozori adds the following registry key to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Wintnpx.exe" = "wintnpx.exe"

During first start of the worm the worm checks for existing worm Mutex (its own filename) to avoid double infections on one machine.

Exploiting Technologies:

The worm generates random IP addresses and attempts to connect on port 445 of the generated IP's to exploit the Plug and Play buffer overflow vulnerability [see MS05-039]. If the vulnerability exploit is successful, it executes code (shellcode) on the target machine, which instructs it to connect back to the source in order to retrieve a copy of the worm. (This copy is downloaded to the target machine by the created TFTP Server-Connection using "%Temp%\{ random number }.bat" TFTP-Commands file). The worm creates its own task for this purpose.

The worm executes TFTP.EXE locally on the compromised system to retrieve a copy of the worm with the name "%Windir%\a{ random number }.exe" from the connecting system, and starts this file after downloading. The worm lists all exploited IP addresses in the worm's IRC channel.

Process Termination:

The worm tries to terminate the following processes (if they are running):

wintbpx.exe, wintbp.exe, svnlitup32.exe, service32.exe, mousebm.exe, llsrv.exe, pnpsrv.exe, winpnp.exe, csm.exe, system32.exe, botzor.exe, upnp.exe

These files are related to other malicious programs, such as older versions of this worm.

Other Details:

Win32/Bozori also provides IRC-Backdoor functionality with the following functions:

Download files
Download new worm updates
Execute files
Provide uptime information to the remote controller
Provide information about the worm variant to the remote controller
Notify IRC Channels/Operator via private message
Restart the computer
Provide FTP Server Access on the compromised system
Remove components

Win32/Bozori tries to connect to the following internet servers:

24.128.76.161

And to the following irc channel:

#Tbp5

References:

http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

History: Analysis and Write-up by: Michael St. Neitzel