Win32/Slenfbot is a worm that can spread via MSN Messenger, and may spread via removable drives. This worm spreads automatically via shares, but must be ordered to spread via messenger by a remote attacker. The worm also contains backdoor functionality that allows unauthorized access to an affected machine.
Win32/Slenfbot is a worm that can spread via MSN Messenger, and may spread via removable drives. This worm spreads automatically via shares, but must be ordered to spread via messenger by a remote attacker. The worm also contains backdoor functionality that allows unauthorized access to an affected machine.
Installation
When executed, Win32/Slenfbot copies itself to the <system folder> with a filename that differs according to variant and sets the attributes for this copy to read only, hidden and system. It modifies the registry to run this copy at each Windows start. For example, Worm:Win32/Slenfbot.A copies itself to <system folder>\nvsvc64.exe and makes the following modification to the registry:
Adds value: "nVidia Display Driver"
With data: "nvsvc64.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The worm makes a further registry modification that causes the copy of the worm that was executed originally to be deleted when the system restarts:
Sets value: "PendingFileRenameOperations"
With data: "<original malware executable>"
Under key: HKLM\System\CurrentControlSet\Control\Session Manager
However, it also runs "cmd.exe /c del <original malware executable> nul" to immediately delete the original copy of the worm.
When first run, the worm checks if Messenger is running by looking for a Window with the class name "MSBLWindowClass". If it finds this window, it displays the following fake error message:
Spreads Via…
MSN Messenger
This worm can be ordered to spread via Messenger by a remote attacker using the worm's backdoor functionality (see Payload below for additional detail). When the attacker orders the worm to spread via MSN Messenger, they must provide the following three parameters:
-
A URL containing a list of possible messages to send, along with the worm itself, to MSN Messenger contacts. The worm chooses from this list at random.
-
A file name for a ZIP archive. The worm creates a ZIP archive containing a copy of itself in the temporary folder with this name. The worm sends this ZIP archive to MSN Messenger contacts.
-
A file name for the worm's executable inside the ZIP archive.
Removable Drives
Win32/Slenfbot may attempt to spread via removable drives, except drives A and B. It does this by creating a directory called RECYCLER in the root of the removable drive. In then creates another directory underneath that with a name such as S-1-6-21-1257894210-1075856346-012573477-2315. The worm copies itself into this directory, with a file name such as “folderopen.exe”. For example:
E:\RECYCLER\S-1-6-21-1257894210-1075856346-012573477-2315\folderopen.exe
The worm also creates an autorun.inf file in the root directory of the drive in order to launch the worm if, for example, the drive is connected to another machine.
The worm sets the hidden and system attributes for all of the aforementioned directories and files.
Note: Due to a bug, Slenfbot may only create one directory rather than two, such as:
E:\RECYCLERS-1-6-21-1257894210-1075856346-012573477-2315\folderopen.exe
Payload
Backdoor Functionality
Slenfbot attempts to connect to a particular IRC server via a particular TCP Port. The channel and port number differ according to variant. It joins a channel and waits for commands. Using this backdoor, an attacker can perform the following actions on an affected machine:
When the attacker orders the worm to send an arbitrary file via MSN Messenger, they must provide all of the parameters used when spreading vis Messenger, plus a fourth:
Modifies Hosts File
Slenfbot replaces <system folder>\drivers\etc\hosts with a file that contains the following:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#
This text is followed by 90 blank lines, presumably to make the file appear empty on casual inspection. After the blank lines it writes several entries to direct the following anti-virus and security related domains to localhost (127.0.0.1):
bbs.360safe.com
blog.hispasec.com
blog.threatfire.com
customer.symantec.com
discussions.virtualdr.com
download.mcafee.com
file.ikaka.com
forum.piriform.com
forum.securitycadets.com
forum.tweaks.com
forums.techguy.org
guru0.grisoft.cz
guru1.grisoft.cz
guru2.grisoft.cz
guru3.grisoft.cz
guru4.grisoft.cz
guru5.grisoft.cz
hjt-data.trend-braintree.com
hjt.networktechs.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
scanner.virus.org
secubox.aldria.com
securityresponse.symantec.com
update.symantec.com
updates.symantec.com
virscan.org
www.2-spyware.com
www.360.cn
www.analysis.seclab.tuwien.ac.at
www.antivir.es
www.antivirus.about.com
www.antivirus.comodo.com
www.auditmypc.com
www.avast.com
www.avg-antivirus.net
www.avira.com
www.avp.com
www.bitdefender.com
www.bleedingthreats.net
www.bleepingcomputer.com
www.ca.com
www.castlecops.com
www.clamav.net
www.clamwin.com
www.computing.net
www.csrrt.org
www.cwsandbox.org
www.daniweb.com
www.download.f-secure.com
www.eradicatespyware.net
www.eset.com
www.experts-exchange.com
www.f-prot.com
www.f-secure.com
www.firewallguide.com
www.forospyware.com
www.fortiguardcenter.com
www.fortinet.com
www.forums.majorgeeks.com
www.free-av.com
www.free.avg.com
www.free.grisoft.com
www.freespywareremoval.info
www.futurenow.bitdefender.com
www.geekstogo.com
www.grisoft.com
www.hijackthis.de
www.housecall.trendmicro.com
www.ikarus.net
www.infosecpodcast.com
www.kaspersky-labs.com
www.kaspersky.com
www.majorgeeks.com
www.mcafee.com
www.Merijn.org
www.net-security.org
www.networkworld.com
www.norman.com
www.offensivecomputing.net
www.onlinescan.avast.com
www.pandasecurity.com
www.pantip.com
www.pchell.com
www.pctools.com
www.prevx.com
www.research.sunbelt-software.com
www.safer-networking.org
www.sandboxie.com
www.siteadvisor.com
www.soccersuck.com
www.sophos.com
www.spyany.com
www.spybot.info
www.spywaredb.com
www.spywareinfo.com
www.spywareterminator.com
www.symantec.com
www.techimo.com
www.techspot.com
www.techsupportforum.com
www.thecomputerpitstop.com
www.threatexpert.com
www.trendmicro.com
www.trendsecure.com
www.tweaksforgeeks.com
www.viruschief.com
www.virusinfo.prevx.com
www.viruslist.com
www.virusspy.com
www.virustotal.com
www.webphand.com
www.whatthetech.com
www.wilderssecurity.com
zhidao.baidu.com
Deletes Files
When first executed, Slenfbot runs the following commands:
CMD /C del /F /S /Q *.zip
CMD /C del /F /S /Q *.com
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com
These commands will delete files names named *.zip and *.com in the current directory and the user's "Received Files" directory, the location where Windows Messenger, by default, stores files it downloads. The intention of this is obviously to delete the original copy of the worm that was received via Messenger.
Modifies System Settings
Slenfbot deletes the following registry keys (and any subkeys and values they contain):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
It also makes the following registry modifications:
Sets value: "Disabletaskmgr"
With data: "1"
Under key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableSR"
With data: "1"
Under key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "DisableConfig"
With data: "1"
Under key HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
Sets value: "Disableregistrytools"
With data: "1"
Under key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "NoClose"
With data:"1"
Under key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Sets value: "Start"
With data: "4"
Under key HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Terminates Processes
Slenfbot may terminate the following processes on an affected machine:
123.COM
123.EXE
360HOTFIX.EXE
360RPT.EXE
360SAFE.EXE
360TRAY.EXE
A2HIJACKFREESETUP.EXE
ACAAS.EXE
ACAEGMGR.EXE
ACAIS.EXE
ACALS.EXE
AFMAIN.EXE
AHNSDSV.EXE
ALERTMAN.EXE
ALMON.EXE
ALSVC.EXE
APM.EXE
APORTS.EXE
APT.EXE
ASHMAISV.EXE
ASHSERV.EXE
ASHWEBSV.EXE
ASVIEWER.EXE
ASWCLNR.EXE
ASWUPDSV.EXE
AUTORUNS.EXE
AVENGER.EXE
AVGARKT.EXE
AVGSCANX.EXE
AVGUARD.EXE
AVGUI.EXE
AVGUPD.EXE
AVGWDSVC.EXE
AVIRARKD.EXE
BC5CA6A.EXE
BDAGENT.EXE
BDSS.EXE
BOXMOD.EXE
CATCHME.EXE
CCENTER.EXE
CF9409.EXE
COMBOFIX.EXE
CPORTS.EXE
CPROCESS.EXE
DARKSPY105.EXE
DELAYDELFILE.EXE
DLLCOMPARE.EXE
DRWEB32W.EXE
DRWEBSCD.EXE
DUBATOOL_AV_KILLER.EXE
EULALYZERSETUP.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FAMEH32.EXE
FAST.EXE
FCH32.EXE
FIH32.EXE
FILEALYZ.EXE
FILEFIND.EXE
FIXPATH.EXE
FNRB32.EXE
FOLDERCURE.EXE
FP-WIN.EXE
FPORT.EXE
FPROT.EXE
FSAA.EXE
FSAV.EXE
FSAV32.EXE
FSAV530STBYB.EXE
FSAV530WTBYB.EXE
FSAV95.EXE
FSB.EXE
FSBL.EXE
FSGK32.EXE
FSM32.EXE
FSMA32.EXE
FSMB32.EXE
GMER.EXE
HACKMON.EXE
HELIOS.EXE
HIJACKTHIS.EXE
HOOKANLZ.EXE
HOSTSFILEREADER.EXE
ICESWORD.EXE
IEFIX.EXE
INSTALLWATCHPRO25.EXE
KAKASETUPV6.EXE
KAV.EXE
KAVSVC.EXE
KILLAUTOPLUS.EXE
KILLBOX.EXE
LIVESRV.EXE
LORDPE.EXE
MAKEREPORT.EXE
MCAGENT.EXE
MCSHIELD.EXE
MCUPDATE.EXE
MCVSRTE.EXE
MCVSSHLD.EXE
MSASCUI.EXE
MSCONFIG.EXE
MSMPENG.EXE
MSNFIX.EXE
MYPHOTOKILLER.EXE
NETALYZ.EXE
NETSTAT.EXE
NMAIN.EXE
NOD32.EXE
NOD32CC.EXE
NOD32KRN.EXE
NOD32KUI.EXE
NOD32M2.EXE
OBJMONSETUP.EXE
OLLYDBG.EXE
PAVARK.EXE
PCTSAUXS.EXE
PCTSGUI.EXE
PCTSSVC.EXE
PCTSTRAY.EXE
PG2.EXE
PGSETUP.EXE
PORTDETECTIVE.EXE
PORTMONITOR.EXE
PROCDUMP.EXE
PROCESSMONITOR.EXE
PROCEXP.EXE
PROCMON.EXE
PROJECTWHOISINSTALLER.EXE
PSKILL.EXE
RAV.EXE
RAVLITE.EXE
RAVMOND.EXE
RAVTASK.EXE
REANIMATOR.EXE
REG.EXE
REGALYZ.EXE
REGCOOL.EXE
REGEDIT.EXE
REGISTRAR_LITE.EXE
REGSCANNER.EXE
REGSHOT.EXE
REGX2.EXE
RKD.EXE
ROOTALYZER.EXE
ROOTKITBUSTER.EXE
ROOTKITNO.EXE
ROOTKITREVEALER.EXE
ROOTKIT_DETECTIVE.EXE
RTVSCAN.EXE
SAVADMINSERVICE.EXE
SAVSERVICE.EXE
SCFMANAGER.EXE
SCFSERVICE.EXE
SCHED.EXE
SDFIX.EXE
SEEM.EXE
SPF.EXE
SPIDERML.EXE
SPIDERNT.EXE
SPIDERUI.EXE
SPYBOTSD.EXE
SPYBOTSD160.EXE
SRENGLDR.EXE
SRENGPS.EXE
STARTDRECK.EXE
SUPERKILLER.EXE
SYSANALYZER_SETUP.EXE
TASKKILL.EXE
TASKLIST.EXE
TASKMAN.EXE
TASKMGR.EXE
TASKMON.EXE
TCPVIEW.EXE
TEATIMER.EXE
UISCAN.EXE
ULIBCFG.EXE
UNHACKME.EXE
UNIEXTRACT.EXE
UNLOCKER1.8.7.EXE
VSMON.EXE
VSSERV.EXE
WIRESHARK.EXE
WITSETUP.EXE
XCOMMSVR.EXE
ZLCLIENT.EXE
Uses Stealth
Slenfbot is also capable of hiding its process from task manager.
Additional Information
Slenfbot variants create a mutex that also differs according to variant. For example, Worm:Win32/Slenfbot.A creates the mutex "I3.1".
Analysis by Hamish O'Dea
Take the following steps to help prevent infection on your system:
-
Enable a firewall on your computer.
-
Get the latest computer updates.
-
Use up-to-date antivirus software.
-
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
-
Click Start, and click Control Panel.
-
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
-
Click Change Windows Firewall Settings.
-
Select On.
-
Click OK.
To turn on the Windows Firewall in Windows Vista
-
Click Start, and click Control Panel.
-
Click Security.
-
Click Turn Windows Firewall on or off.
-
Select On.
-
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
-
Click Start, and click Control Panel.
-
Click System.
-
Click Automatic Updates.
-
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information,
see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
