Click Here to Install Silverlight*
United StatesChange|All Microsoft Sites
Microsoft
Security 

Malicious Software Encyclopedia: Backdoor:Win32/Graweg.B

Published: September 7, 2006

Update: This threat has been renamed Backdoor:Win32/Mocbot.A.
 
Backdoor:Win32/Graweg.B is an IRC Trojan that connects to an IRC channel and awaits commands from remote attackers. When instructed, Backdoor:Win32/Graweg.B begins searching the local network for systems which have not yet applied the Microsoft Windows Server Service security patch described in Microsoft Security Bulletin MS06-040. The Trojan also includes the ability to send messages via AOL Instant Messenger (AIM) and ICQ. The exploit code used by Backdoor:Win32/Graweg.B is only effective against un-patched systems running Windows 2000. However, the Trojan can still infect patched versions of Windows 2000 and other Windows operating systems by means other than exploit. For example, Backdoor:Win32/Graweg.B could be distributed as an e-mail attachment, or a link to the Trojan could be sent to e-mail or AIM recipients.
 
Backdoor:Win32/Graweg.B may lower security settings on infected systems and allows the system to be used for nefarious purposes, such as launching a Denial of Service (DoS) attack against others. Backdoor:Win32/Graweg.B includes the ability to download other files, thus the Trojan could update its functionality or download additional malicious software to infected systems.
 
Backdoor:Win32/Graweg.B has been assigned CME ID 762 and will be detected by Microsoft as
Backdoor:Win32/Graweg.B!CME-762.

**

Related Links

Security Advisory - Microsoft

Glossary Terms

Click the term to get the definition from our Security Glossary.

Trojan horse

virus

worm

**
On This Page
Threat OverviewThreat Overview
Aliases (Also Known As)Aliases (Also Known As)
Related Security BulletinsRelated Security Bulletins
Technical AnalysisTechnical Analysis
How to Prevent InfectionHow to Prevent Infection
How to Tell If Your Computer Is InfectedHow to Tell If Your Computer Is Infected
Transmission MethodsTransmission Methods
Payload InformationPayload Information
Modified Registry EntriesModified Registry Entries
Affected PortsAffected Ports

Threat Overview

Class/typeTrojan - Backdoor
DiscoveredAugust 12, 2006
CirculatingYes
Affected operating systems
Affected software Not specified
Infection ratingLow
Recovery difficultyModerate
Damage ratingMedium
Transmission ratingLow

Aliases (Also Known As)

Different antivirus vendors may be using different names to refer to this malicious software. Here are some of the names currently in use by antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA):

  • McAfee: IRC-Mocbot!MS06-040
  • Sophos: W32/Cuebot-M
  • Symantec: W32.Wargbot
  • Trend Micro: WORM_IRCBOT.JK

    • Learn more about the Microsoft Virus Information Alliance.

    Related Security Bulletins

    The following Microsoft Security bulletins are related to this issue:

  • MS06-040 - Vulnerability in Server Service Could Allow Remote Code Execution (921883)

    • Technical Analysis

    Backdoor:Win32/Graweg.B is an IRC Trojan that may spread to a system via exploit of the Windows Server Service vulnerability described in Microsoft Security Bulletin MS06-040. The Trojan could also arrive as an attachment to an e-mail message or as a link in an e-mail, AIM, or ICQ message. When run, Backdoor:Win32/Graweg.B does the following:
     
    • Copies itself to the Windows System folder as "wgavm.exe"
    • Registers itself as a service named "Windows Genuine Advantage Validation Monitor"
    • Injects a process into explorer.exe which attempts to delete the original worm file
    • Modifies the following registry subkeys in order to lower security settings on infected systems:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    EnableDCOM = "n"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    restrictanonymous = "1"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
    autoshareserver = "0"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    AntiVirusDisableNotify = "1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
    EnableFirewall = "1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
    EnableFirewall = "1"
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
    Start = "4"
    • Connects to predefined IRC channels and awaits commands, which can include the ability to execute programs, download additional malicious software or updates, send system information to the attacker, conduct DoS attacks, send messages via AIM/ICQ, or exploit other systems.
    • When instructed, Backdoor:Win32/Graweg.B begins searching the local network for systems which have not yet applied the Microsoft Windows Server Service security patch described in Microsoft Security Bulletin MS06-040. Vulnerable systems discovered will be exploited in order to run a copy of Backdoor:Win32/Graweg.B and thereby repeat the infection process.
     
    The exploit code used by Backdoor:Win32/Graweg.B targets un-patched systems running Windows 2000 only. No other versions of Windows have been found to be vulnerable to the specific exploit code used by the Trojan. However, Backdoor:Win32/Graweg.B could arrive on a system by other means; for example, attackers could send the Trojan as an attachment to an e-mail, or send a link to the infected file via e-mail or Instant Messaging.

    How to Prevent Infection

    For specific prevention steps, refer to the "Suggested Actions" section of the Microsoft Security Advisory (922437) pertaining to the Backdoor:Win32/Graweg exploit. Microsoft Security Advisory (922437) can be found at http://www.microsoft.com/technet/security/advisory/922437.mspx
     
    Apply the following security tips to better protect your system in general:
    • Enable a firewall on your computer.
    • Get the latest computer updates.
    • Use up-to-date antivirus software.
    • Use caution with unexpected attachments.

    Enable a firewall on your computer

    Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
    To turn on the Internet Connection Firewall in Windows XP
    1. Click Start, and click Control Panel.
    2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
    3. Click Change Windows Firewall Settings.
    4. Select On.
    5. Click OK.

    Get the latest computer updates

    Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
    To turn on Automatic Updates in Windows XP
    1. Click Start, and click Control Panel
    2. Click System.
    3. Click Automatic Updates.
    4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

    Use up-to-date antivirus software

    Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx

    Use caution with unexpected attachments

    Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.

    How to Tell If Your Computer Is Infected

    Unexpected traffic on TCP port 445, combined with the presence of a file named "wgavm.exe" in the Windows System folder and the presence of a service named "Windows Genuine Advantage Validation Monitor" may be indications of a Backdoor:Win32/Graweg.B infection. This Trojan includes the ability to self-update and, as with most Trojans, allows backdoor access to the infected system. If a Backdoor:Win32/Graweg.B infection is suspected, perform a full system scan with up-to-date antivirus software to detect and remove the Trojan and any other malicious software that may have resulted from the original infection.

    Transmission Methods

    MethodDescription
    Exploits VulnerabilityRemote attackers can instruct the Trojan to exploit other systems
    Instant MessagingRemote attackers can send messages via AIM or ICQ

    Payload Information

    Payload typeTriggerDescription
    Compromises Security
    Lowers security settings

    Modified Registry Entries

    Added registry entries
    KeyHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgareg
    Value name

    Affected Ports

    ProtocolPort number
    TCP445

    © 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement