Worm:Win32/Slenfbot.ALJ

Worm:Win32/Slenfbot.ALJ is a worm that can spread via removable and network drives, or by exploiting the MS06-040 vulnerability.

This worm spreads automatically via shares, but must be ordered to spread via an exploit or IRC-like commands by a remote attacker. The worm also contains backdoor functionality that allows unauthorized access to an affected computer.

Worm:Win32/Slenfbot.ALJ is a member of the Win32/Slenfbot family of worms.

Installation

When run, Worm:Win32/Slenfbot.ALJ may copy itself to "<system folder>\wmpnv32.exe"

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".

Worm:Win32/Slenfbot.ALJ modifies the following registry entries to ensure that its copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Media iControl"
With data: "<malware path and filename>", for example "C:\WINDOWS\system32\wmpnv32.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Media iControl"
With data: "<malware path and filename>"

Spreads via...

Removable and network drives

Worm:Win32/Slenfbot.ALJ may attempt to spread via removable and network drives, except drives A: and B:. It does this by creating a directory called "RECYCLER" in the root of the removable drive. The worm copies itself into this directory, with a file name such as the following:

• chgservice.exe
• cmmon32.exe
• drive32.exe
• ecleaner.exe
• iexplorer.exe
• msvmiode.exe
• nxqd.exe
• rvhost.exe
• serivces.exe
• servicers.exe
• svchos.exe
• undmgr.exe
• uninstall.exe
• usbmngr.exe
• woot.exe
• wudfhost.exe
• zaberg.exe

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.

The worm changes the attributes of all files and folders in the newly created "RECYCLER" folder to "hidden" and "system".

Note: This worm was observed to write an executable and create an autorun.inf file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally used to spread malware from computer to computer.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.

Windows vulnerability exploit

Worm:Win32/Slenfbot.ALJ may attempt to spread by exploiting the MS06-040 vulnerability that affects Windows software. This is a vulnerability that allows remote code execution.

Payload

Backdoor access and control

Worm:Win32/Slenfbot.ALJ attempts to connect to an IRC server at "66.97.132.78" via a random TCP port, join a channel and wait for commands. Using this backdoor, an attacker can perform the following actions on your computer:

• Join another IRC channel
• Download and execute arbitrary files
• Visit specified URLs
• Spread via network shares

Terminates processes

Worm:Win32/Slenfbot.ALJ may terminate some or all of the following security-related processes on your computer:

• billy.exe
• cfp.exe
• hijackthis.exe
• mrt.exe
• mrtstub.exe
• tcpview.exe
• teatimer.exe
• usbguard.exe

It may also try to stop security-related services containing the following substrings in their name:

• acs
• afwserv.exe
• ashserv.exe
• cmdagent
• ekrn
• kpf4
• nod32krn
• outpost
• sbpflnch
• SCFService.exe
• tmpfw
• vsmon

Modifies system security settings

Worm:Win32/Slenfbot.ALJ modifies your computer's security by making a number of registry modifications.

It adds itself to the DEP (data execution prevention) exclusion list, allowing it to run without Windows performing certain checks:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Sets value: "<malware path and filename>"
With data: "DisableNXShowUI"

In subkey: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Sets value: "<malware path and filename>"
With data: "DisableNXShowUI"

It adds itself to the Windows Firewall exclusion list:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<malware path and filename>"
With data: "<malware path and filename>:*:Enabled:Windows Media iControl"

In subkey: HKCU\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<malware path and filename>"
With data: "<malware path and filename>:*:Enabled:Windows Media iControl"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Sets value: "<malware path and filename>"
With data: "<malware path and filename>:*:Enabled:Windows Media iControl"

In subkey: HKCU\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Sets value: "<malware path and filename>"
With data: "<malware path and filename>:*:Enabled:Windows Media iControl"

Uses stealth

Worm:Win32/Slenfbot.ALJ also attempts to hide its process from Task Manager and other process monitoring tools.

Analysis by Jireh Sanico