< Silence at the blog | Honeypot Compromises I >

MS06-040 and Related Malware

The Internet Storm Center has a nice write-up with links regarding MS06-040 and the malware related to exploits of this vulnerability. Currently, there are mainly two bots that take advantage of this vulnerability:


MD5                                 FILENAME

9928a1e6601cf00d0b7826d13fb556f0    wgareg.exe

2bf2a4f0bdac42f4d6f8a062a7206797    wgavm.exe

With the help of our sandbox, it is possible to get a quick analysis of both of them. You can find this analysis at wgareg.exe-cwsandbox.html (or for the XML output: wgareg.exe-cwsandbox.xml) and wgavm.exe-cwsandbox.html (XML: wgavm.exe-cwsandbox.xml). CWSandbox is able to extract enough information to get a first insight of what the binaries do. The main IRC server used for Command & Control is revealed (bniu.househot.com), together with information about nick- and username.

In addition, we have also now a system to keep track of AV signatures in different AV engines (thanks to Jan Göbel for implementing most parts of it during his thesis!). This allows us to track when a certain AV engine has added signatures to detect a new binary. Below you can find a sample output for wgareg.exe:


Virus scanner analysis for MD5 9928a1e6601cf00d0b7826d13fb556f0:

AntiVir

--------

Signature Update: 	2006-08-12 14:40:06 	

Product Version: 	2.1.7-31 	

Signature Version: 	6.35.1.84

Result: 	OK



Signature Update: 	2006-08-13 15:40:06 	

Product Version: 	2.1.7-31 	

Signature Version: 	6.35.1.85

Result: 	Worm/IRCBot.9609



BitDefender

---------------

Signature Update: 	2006-08-12 22:40:05 	

Product Version: 	7.0.2492 	

Signature Version: 	444351

Result: 	Generic.Malware.IXdld.658BDD6B



Signature Update: 	2006-08-13 12:40:05 	

Product Version: 	7.0.2492 	

Signature Version: 	444407

Result: 	Backdoor.IRCBot.ST



ClamAV 

---------

Signature Update: 	2006-08-12 17:40:05 	

Product Version: 	0.88.2 	

Signature Version: 	1650

Result: 	OK



Signature Update: 	2006-08-13 14:40:05 	

Product Version: 	0.88.2 	

Signature Version: 	1654

Result: 	Trojan.IRCBot-689


The signatures for the binary with MD5 2bf2a4f0bdac42f4d6f8a062a7206797 look similar.
This entry was posted by Thorsten Holz on Monday, August 14. 2006 at 18:25. and is filed under malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. Andre Gironda says:
    #1 2006-08-15 19:49 (Reply)

    in the internet storm center report, they mention not being able to clean the malware? isn't that going a little too far, especially by recommending a completely clean install?

    i would assume a nice combination of HiJackThis, Unlocker, Process Explorer, et al - could clean this up nicely. i've seen worse where i had to mess with WFP, even more registry annoyances, and even killing explorer & freezing winlogon in process explorer so i could regsvr32.exe /u a particular DLL that infected both explorer and winlogon completely.

    mcaffee or norton will probably release a cleaner at some point, as well.

  2. Thorsten Holz says:
    #1.1 2006-08-15 20:20 (Reply)

    In the second stage, the bot also installs another piece of malware on the compromised box, see my update on this topic.

    For cleaning: LURHQ describes it in the following way with which I agree: "In the case of a system that has become infected with a trojan, worm or virus, unless you are a malware expert, the only way to be 100% sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system."


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.