Worm:Win32/Slenfbot.AKD is a worm that spreads to other computers by using Instant Messaging programs. It sends a copy of itself disguised as a link to a codec required to watch a video.
Installation
When executed, Worm:Win32/Slenfbot.AKD copies itself into the Windows folder using the following file names:
It modifies the system registry so that it automatically runs every time Windows starts:
In subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "NVIDIA driver monitor"
With data: "%windir%\nvsvc32.exe"
It also modifies firewall settings to allow itself to access the network.
Spreads via...
Instant messaging programs
Worm:Win32/Slenfbot.AKD spreads by sending a link to a copy of itself to all of a user's contacts in the following Instant Messaging programs:
-
Yahoo! Messenger
-
MSN/Live Messenger
It pretends that the link is pointing to a video that requires a special codec for viewing. However, the codec is actually a copy of the worm.
Payload
Modifies settings
Worm:Win32/Slenfbot.AKD may try to stop the following services and then configure them to start manually:
It may also change the start page of Internet Explorer to a certain webpage.
Terminates processes
Worm:Win32/Slenfbot.AKD may attempt to terminate the following process:
Connects to an IRC server
Worm:Win32/Slenfbot.AKD may connect to certain Internet Relay Chat (IRC) servers to receive additional commands to perform on the computer. One server it is known to connect to is the following:
142.45.186.11 via port 1234
Analysis by Daniel Radu