Friday, December 7, 2007

w32Babelloh virus

w32Babelloh virus
Discovered: December 5, 2007
Type: Worm
Infection Length: 51,576 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Once executed, the worm creates the following mutex so only one instance of the worm is running:
NameOfMutexObject2

The worm creates the following files:

* %SystemDrive%\cblogsvr.ini
* %SystemDrive%\mgrShell.exe
* %SystemDrive%\spoolsv32.exe
* %SystemDrive%\wmiprvse.exe
* %Temp%\L4SD\1CE993C1.db
* %Temp%\~RHF514.log



It also creates the following files with hidden and system attributes on removable and mapped network media:

* %DriveLetter%:\RECYCLER
* %DriveLetter%:\autorun.inf
* %DriveLetter%:\RECYCLER\desktop.exe
* %DriveLetter%:\RECYCLER\desktop.ini

The worm may also copy and spread in encrypted form to local .doc, .docx and .ros documents as the following file:
%DriveLetter%:\RECYCLER\[8 HEXADECIMAL CHARACTERS].db

It creates the following registry entries, so that it runs every time when Windows starts:
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"PolicyRun" = "%SystemDrive%\spoolsv32.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"winmgmt" = "%SystemDrive%\wmiprvse.exe"
* HKEY_USERS\S-1-5-21-1961063573-973683775-492528769-500\Software\Microsoft\Windows
* \CurrentVersion\Run\"winmgmt" = "%SystemDrive%\wmiprvse.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe %SystemDrive%\spoolsv32.exe"
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrkWks\"ImagePath" = "%SystemDrive%\spoolsv32.exe"
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrkWks\"ImagePath" = "%SystemDrive%\spoolsv32.exe"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks\"ImagePath" = "%SystemDrive%\spoolsv32.exe"

It modifies following values in registry subkeys:

* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\"ServiceCurrent" = "11"
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrkWks\"Type" = "10"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\"ServiceCurrent" = "11"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks\"Type" = "10"
* HKEY_USERS\S-1-5-21-1961063573-973683775-492528769-500\Software\Microsoft\Windows
* \CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
* HKEY_USERS\S-1-5-21-1961063573-973683775-492528769-500\Software\Microsoft\Windows
* \CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "B5"

It checks for internet access by connecting to the following site:
windowsupdate.microsoft.com

The worm drops additional malware which opens a back door and attempts to connect with following predetermined sites on TCP ports 80, 8080 or 8088:
* lack.bpa.nu
* qack.bpa.nu
* pbwoman.6600.org
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)