Worm:Win32/Slenfbot.YT is a worm that can spread via MSN Messenger, and may spread via removable drives. The worm also contains backdoor functionality that allows unauthorized access to an affected machine. This worm does not spread automatically upon installation, but must be ordered to spread by a remote attacker.
Installation
When executed, Worm:Win32/Slenfbot.YT copies itself to the <system folder> as "windowslivemsn.exe" and sets the attributes for this copy to read only, hidden and system.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It modifies the registry to run this copy at each Windows start:
Adds value: "Windows Messenger Live Startup"
With data: "windowslivemsn.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The worm makes a further registry modification that causes the copy of the worm that was executed originally to be deleted when the system restarts:
Sets value: "PendingFileRenameOperations"
With data: "<original malware executable>"
Under key: HKLM\System\CurrentControlSet\Control\Session Manager
However, it also runs "cmd.exe /c del <original malware executable> nul" to immediately delete the original copy of the worm.
When first run, the worm checks if Messenger is running by looking for a Window with the class name "MSBLWindowClass". If it finds this window, it displays the following fake error message:
Most variants of Win32/Slenfbot inject code into Explorer's process which effectively causes the worm file to be “locked” by Explorer. The injected code opens the worm's file with "read" sharing mode to prohibit other processes from writing to or deleting the file. The injected code also checks for the existence of the worm's mutex every 10 seconds. If the mutex does not exist, it assumes the worm process has been terminated and attempts to run it again.
Spreads Via…
MSN Messenger
This worm can be ordered to spread via Messenger by a remote attacker using the worm's backdoor functionality (see Payload below for additional detail). When the attacker orders the worm to spread via MSN Messenger, they must provide the following three parameters:
-
A URL containing a list of possible messages to send, along with the worm itself, to MSN Messenger contacts. The worm chooses from this list at random.
-
A file name for a ZIP archive. The worm creates a ZIP archive containing a copy of itself in the temporary folder with this name. The worm sends this ZIP archive to MSN Messenger contacts.
-
A file name for the worm's executable inside the ZIP archive.
Removable Drives
Worm:Win32/Slenfbot may attempt to spread via removable drives, except drives A and B. It does this by creating a directory called RECYCLER in the root of the removable drive. In then creates another directory underneath that with a name such as S-1-6-21-1257894210-1075856346-012573477-2315. The worm copies itself into this directory, with a file name such as “folderopen.exe”. For example:
E:\RECYCLER\S-1-6-21-1257894210-1075856346-012573477-2315\folderopen.exe
The worm also creates an autorun.inf file in the root directory of the drive in order to launch the worm if, for example, the drive is connected to another machine.
The worm sets the hidden and system attributes for all of the aforementioned directories and files.
Note: Due to a bug, Slenfbot may only create one directory rather than two, such as:
E:\RECYCLERS-1-6-21-1257894210-1075856346-012573477-2315\folderopen.exe
Payload
Backdoor Functionality: TCP Port 34091
Slenfbot.YT attempts to connect to an IRC server at hiroshima.japancorporation.info via TCP port 34091, join a channel and wait for commands. Using this backdoor, an attacker can perform the following actions on an affected machine:
When the attacker orders the worm to send an arbitrary file via MSN Messenger, they must provide all of the parameters used when spreading via Messenger, plus a fourth:
Modifies Hosts File
Slenfbot replaces <system folder>\drivers\etc\hosts with a file that contains the following:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#
This text is followed by 90 blank lines, presumably to make the file appear empty on casual inspection. After the blank lines it writes several entries to direct the following anti-virus and security related domains to localhost (127.0.0.1):
bbs.360safe.com
blog.hispasec.com
blog.threatfire.com
customer.symantec.com
discussions.virtualdr.com
download.mcafee.com
file.ikaka.com
forum.piriform.com
forum.securitycadets.com
forum.tweaks.com
forums.techguy.org
guru0.grisoft.cz
guru1.grisoft.cz
guru2.grisoft.cz
guru3.grisoft.cz
guru4.grisoft.cz
guru5.grisoft.cz
hjt-data.trend-braintree.com
hjt.networktechs.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
scanner.virus.org
secubox.aldria.com
securityresponse.symantec.com
update.symantec.com
updates.symantec.com
virscan.org
www.2-spyware.com
www.360.cn
www.analysis.seclab.tuwien.ac.at
www.antivir.es
www.antivirus.about.com
www.antivirus.comodo.com
www.auditmypc.com
www.avast.com
www.avg-antivirus.net
www.avira.com
www.avp.com
www.bitdefender.com
www.bleedingthreats.net
www.bleepingcomputer.com
www.ca.com
www.castlecops.com
www.clamav.net
www.clamwin.com
www.computing.net
www.csrrt.org
www.cwsandbox.org
www.daniweb.com
www.download.f-secure.com
www.eradicatespyware.net
www.eset.com
www.experts-exchange.com
www.f-prot.com
www.f-secure.com
www.firewallguide.com
www.forospyware.com
www.fortiguardcenter.com
www.fortinet.com
www.forums.majorgeeks.com
www.free-av.com
www.free.avg.com
www.free.grisoft.com
www.freespywareremoval.info
www.futurenow.bitdefender.com
www.geekstogo.com
www.grisoft.com
www.hijackthis.de
www.housecall.trendmicro.com
www.ikarus.net
www.infosecpodcast.com
www.kaspersky-labs.com
www.kaspersky.com
www.majorgeeks.com
www.mcafee.com
www.Merijn.org
www.net-security.org
www.networkworld.com
www.norman.com
www.offensivecomputing.net
www.onlinescan.avast.com
www.pandasecurity.com
www.pantip.com
www.pchell.com
www.pctools.com
www.prevx.com
www.research.sunbelt-software.com
www.safer-networking.org
www.sandboxie.com
www.siteadvisor.com
www.soccersuck.com
www.sophos.com
www.spyany.com
www.spybot.info
www.spywaredb.com
www.spywareinfo.com
www.spywareterminator.com
www.symantec.com
www.techimo.com
www.techspot.com
www.techsupportforum.com
www.thecomputerpitstop.com
www.threatexpert.com
www.trendmicro.com
www.trendsecure.com
www.tweaksforgeeks.com
www.viruschief.com
www.virusinfo.prevx.com
www.viruslist.com
www.virusspy.com
www.virustotal.com
www.webphand.com
www.whatthetech.com
www.wilderssecurity.com
zhidao.baidu.com
Deletes Files
When first executed, Slenfbot runs the following commands:
CMD /C del /F /S /Q *.zip
CMD /C del /F /S /Q *.com
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com
These commands will delete files names named *.zip and *.com in the current directory and the user's "Received Files" directory, the location where Windows Messenger, by default, stores files it downloads. The intention of this is obviously to delete the original copy of the worm that was received via Messenger.
Modifies System Settings
Slenfbot deletes the following registry keys (and any subkeys and values they contain):
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
It also makes the following registry modifications:
Sets value: "Disabletaskmgr"
With data: "1"
Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableSR"
With data: "1"
Under key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "DisableConfig"
With data: "1"
Under key: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
Sets value: "Disableregistrytools"
With data: "1"
Under key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "NoClose"
With data:"1"
Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Sets value: "Start"
With data: "4"
Under key: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Terminates Processes
Slenfbot may terminate the following processes on an affected machine:
123.COM
123.EXE
360HOTFIX.EXE
360RPT.EXE
360SAFE.EXE
360TRAY.EXE
A2HIJACKFREESETUP.EXE
ACAAS.EXE
ACAEGMGR.EXE
ACAIS.EXE
ACALS.EXE
AFMAIN.EXE
AHNSDSV.EXE
ALERTMAN.EXE
ALMON.EXE
ALSVC.EXE
APM.EXE
APORTS.EXE
APT.EXE
ASHMAISV.EXE
ASHSERV.EXE
ASHWEBSV.EXE
ASVIEWER.EXE
ASWCLNR.EXE
ASWUPDSV.EXE
AUTORUNS.EXE
AVENGER.EXE
AVGARKT.EXE
AVGSCANX.EXE
AVGUARD.EXE
AVGUI.EXE
AVGUPD.EXE
AVGWDSVC.EXE
AVIRARKD.EXE
BC5CA6A.EXE
BDAGENT.EXE
BDSS.EXE
BOXMOD.EXE
CATCHME.EXE
CCENTER.EXE
CF9409.EXE
COMBOFIX.EXE
CPORTS.EXE
CPROCESS.EXE
DARKSPY105.EXE
DELAYDELFILE.EXE
DLLCOMPARE.EXE
DRWEB32W.EXE
DRWEBSCD.EXE
DUBATOOL_AV_KILLER.EXE
EULALYZERSETUP.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FAMEH32.EXE
FAST.EXE
FCH32.EXE
FIH32.EXE
FILEALYZ.EXE
FILEFIND.EXE
FIXPATH.EXE
FNRB32.EXE
FOLDERCURE.EXE
FP-WIN.EXE
FPORT.EXE
FPROT.EXE
FSAA.EXE
FSAV.EXE
FSAV32.EXE
FSAV530STBYB.EXE
FSAV530WTBYB.EXE
FSAV95.EXE
FSB.EXE
FSBL.EXE
FSGK32.EXE
FSM32.EXE
FSMA32.EXE
FSMB32.EXE
GMER.EXE
HACKMON.EXE
HELIOS.EXE
HIJACKTHIS.EXE
HOOKANLZ.EXE
HOSTSFILEREADER.EXE
ICESWORD.EXE
IEFIX.EXE
INSTALLWATCHPRO25.EXE
KAKASETUPV6.EXE
KAV.EXE
KAVSVC.EXE
KILLAUTOPLUS.EXE
KILLBOX.EXE
LIVESRV.EXE
LORDPE.EXE
MAKEREPORT.EXE
MCAGENT.EXE
MCSHIELD.EXE
MCUPDATE.EXE
MCVSRTE.EXE
MCVSSHLD.EXE
MSASCUI.EXE
MSCONFIG.EXE
MSMPENG.EXE
MSNFIX.EXE
MYPHOTOKILLER.EXE
NETALYZ.EXE
NETSTAT.EXE
NMAIN.EXE
NOD32.EXE
NOD32CC.EXE
NOD32KRN.EXE
NOD32KUI.EXE
NOD32M2.EXE
OBJMONSETUP.EXE
OLLYDBG.EXE
PAVARK.EXE
PCTSAUXS.EXE
PCTSGUI.EXE
PCTSSVC.EXE
PCTSTRAY.EXE
PG2.EXE
PGSETUP.EXE
PORTDETECTIVE.EXE
PORTMONITOR.EXE
PROCDUMP.EXE
PROCESSMONITOR.EXE
PROCEXP.EXE
PROCMON.EXE
PROJECTWHOISINSTALLER.EXE
PSKILL.EXE
RAV.EXE
RAVLITE.EXE
RAVMOND.EXE
RAVTASK.EXE
REANIMATOR.EXE
REG.EXE
REGALYZ.EXE
REGCOOL.EXE
REGEDIT.EXE
REGISTRAR_LITE.EXE
REGSCANNER.EXE
REGSHOT.EXE
REGX2.EXE
RKD.EXE
ROOTALYZER.EXE
ROOTKITBUSTER.EXE
ROOTKITNO.EXE
ROOTKITREVEALER.EXE
ROOTKIT_DETECTIVE.EXE
RTVSCAN.EXE
SAVADMINSERVICE.EXE
SAVSERVICE.EXE
SCFMANAGER.EXE
SCFSERVICE.EXE
SCHED.EXE
SDFIX.EXE
SEEM.EXE
SPF.EXE
SPIDERML.EXE
SPIDERNT.EXE
SPIDERUI.EXE
SPYBOTSD.EXE
SPYBOTSD160.EXE
SRENGLDR.EXE
SRENGPS.EXE
STARTDRECK.EXE
SUPERKILLER.EXE
SYSANALYZER_SETUP.EXE
TASKKILL.EXE
TASKLIST.EXE
TASKMAN.EXE
TASKMGR.EXE
TASKMON.EXE
TCPVIEW.EXE
TEATIMER.EXE
UISCAN.EXE
ULIBCFG.EXE
UNHACKME.EXE
UNIEXTRACT.EXE
UNLOCKER1.8.7.EXE
VSMON.EXE
VSSERV.EXE
WIRESHARK.EXE
WITSETUP.EXE
XCOMMSVR.EXE
ZLCLIENT.EXE
Uses Stealth
Slenfbot is also capable of hiding its process from Task Manager.
Analysis by Hamish O'Dea
