Backdoor:Win32/Mocbot.AF is an IRC trojan that connects to an IRC channel and awaits commands from remote attackers. When instructed, Backdoor:Win32/Mocbot.AF begins searching the local network for systems which have not yet applied the Microsoft Windows Server service security patch described in
Microsoft Security Bulletin MS08-067. The trojan also includes the ability to send messages via AOL Instant Messenger (AIM) and ICQ.
Installation
When run, Backdoor:Win32/Mocbot.AF drops a copy of itself as "<system folder>\drivers\servics.exe". The registry is modified to run the dropped copy at each Windows start. In the wild, this trojan may be present as "servics.exe" or "svchost.exe".
Creates value: "servics.exe"
With data: "<system folder>\drivers\servics.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Payload
Alters Security Settings
This trojan may make numerous registry data modifications that result in changing security settings and disabling some security features, including the following:
- Disables Windows Task Manager
Modifies value: "DisableTaskMgr"
With data: "1"
To subkey: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
Modifies value: "DisableTaskMgr"
With data: "1"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Disables Update Alerts within Microsoft Security Center
Modifies value: "UpdatesDisableNotify"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Security Center
- Disables Windows Firewall
Modifies value: "EnableFirewall"
With data: "0"
To subkey: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
Modifies value: "EnableFirewall"
With data: "0"
To subkey: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
- Disables Windows Automatic Updates
Modifies value: "AUOptions"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
- Disables Windows Security Center, Telnet Server, Remote Registry and Windows Messenger services
Modifies value: "Start"
With data: "4"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Modifies value: "Start"
With data: "4"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Modifies value: "Start"
With data: "4"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Modifies value: "Start"
With data: "4"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Messenger
- Disallows enumeration of SAM accounts and names
Modifies value: "restrictanonymous"
With data: "1"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
- Disable viewing available Windows shares
Modifies value: "AutoShareWks"
With data: "0"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
Modifies value: "AutoShareWks"
With data: "0"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
- Block all DCOM traffic
Modifies value: "EnableDCOM"
With data: "n"
To subkey: HKLM\Software\Microsoft\OLE
- Turns off Infection Reporting by Microsoft Malicious Malware Removal Tool (MRT)
Modifies value: "DontReportInfectionInformation"
With data: "1"
To subkey: HKLM\SOFTWARE\Policies\Microsoft\MRT
Creates BackdoorConnects to predefined IRC channels and awaits commands, which can include the ability to execute programs, download additional malicious software or updates, send system information to the attacker, conduct dos attacks, send messages via AIM/ICQ, or exploit other systems.
When instructed, Backdoor:Win32/Mocbot.AF begins searching the local network for systems which have not yet applied the Microsoft Windows Server service security patch described in
Microsoft Security Bulletin MS08-067. Vulnerable systems discovered will be exploited in order to run a copy of Backdoor:Win32/Mocbot.AF and thereby repeat the infection process.
The exploit code used by Backdoor:Win32/Mocbot.AF targets un-patched systems. Backdoor:Win32/Mocbot.AF could arrive on a system by other means; for example, attackers could send the trojan as an attachment to an e-mail, or send a link to the infected file via e-mail or instant messaging.
Analysis by Cristian Craioveanu
