Worm:Win32/Slenfbot.AJM is a worm that can spread via MSN Messenger, Yahoo Messenger, or Skype, via removable drives, or by exploiting the MS06-040 vulnerability. This worm spreads automatically via shares, but must be ordered to spread via instant messaging programs or exploit by a remote attacker. The worm also contains backdoor functionality that allows unauthorized access to an affected machine.
Installation
When executed, Worm:Win32/Slenfbot.AJM copies itself to the <system folder>\wmipsvtm.exe and sets the attributes for this copy to read only, hidden and system. It modifies the registry as follows to install itself as the debugger for the clean system file ctfmon.exe, and to ensure that ctfmon.exe runs on system startup, thus launching the malware:
Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "ctfmon.exe"
With Data: "ctfmon.exe"
Under key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
Adds value: "Debugger"
With Data: "wmipsvtm.exe"
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It deletes the original copy of the worm after the new copy is launched.
If run from a removable drive, the worm may launch a copy of Windows Explorer showing the contents of the drive.
When first run, Slenfbot.AJM checks the affected system for mutexes of “V8x” and “S3xY!” and will delete itself if either is present. It also creates its own mutex of “muipcdraotse” to ensure that no more than one copy can run at a time.
Slenfbot.AJM injects a thread into explorer.exe that periodically checks for the existence of the file at <system folder>\wmipsvtm.exe. If the file has been removed, it downloads a new copy from backup.wants0m3mor3.com and launches this copy. This thread creates a mutex of “S3xY!”, so if the worm is launched while the thread is running, it will delete itself, and the thread will automatically download an update.
Spreads via…
Instant messaging
This worm can be ordered to spread via MSN Messenger, Yahoo Messenger and Skype by a remote attacker using the worm's backdoor functionality (see Payload below for additional detail). When the attacker orders the worm to spread in this manner, they must provide the following three parameters:
A URL containing a list of possible messages to send, along with the worm itself, to MSN Messenger contacts. The worm chooses from this list at random.
A file name for a ZIP archive. The worm creates a ZIP archive containing a copy of itself in the temporary folder with this name. The worm sends this ZIP archive to MSN Messenger contacts.
A file name for the worm's executable inside the ZIP archive.
Removable drives
Worm:Win32/Slenfbot.AJM may attempt to spread via removable drives, except drives A and B. It does this by creating a directory called ~secure in the root of the removable drive. The worm downloads an updated version of itself from spd.wants0m3mor3.com and saves it to the directory with a file name of “4568454.exe”.
The worm also creates an autorun.inf file in the root directory of the drive in order to launch the new copy if, for example, the drive is connected to another machine. This inf file may be several hundred kilobytes in size, and mostly padded by comments containing random data.
The worm sets the hidden and system attributes for all of the aforementioned directories and files.
Exploit
When commanded to do so, Slenfbot.AJM scans for systems vulnerable to exploit of MS06-040, and will attempt to spread to any of these that it finds. Payload
Allows backdoor access and control
Slenfbot.AJM attempts to connect to a server chosen from the list below:
ns89.nastysurfboards.net
ns94.nastysurfboards.net
ns101.surfthewavesinc.net
ns115.surfthewavesinc.net
ns133.surfingsuppliesco.net
ns146.radsurfingsupply.net
ns154.radsurfingsupply.net
ns168.saveitallbaby.com
ns175.saveitallbaby.com
ns189.savehugedaily.com
ns192.savehugedaily.com
ns196.magicsavings4all.com
ns207.magicsavings4all.com
ns219.thesavemachine.com
ns227.thesavemachine.com
ns238.jazibmahmoud.com
ns243 jazibmahmoud.com
ns255.gerbertnsvinkle.com
ns261.gerbertnsvinkle.com
ns272.grudvenauctionhouse.net
ns283.grudvenauctionhouse
ns308.twnameservers.net
ns313.twnameservers.net
ns294.jpnicregistrar.com
ns236.jpnicregistrar.com
ns328.hotornot-tw.com
ns333.hotornot-tw.com
ns345.romanianxportsvc.com
ns352.romanianxportsvc.com
ns339.l3tsfuck1ts3xy.su
ns341.l3tsfuck1ts3xy.su
It joins a channel and waits for commands. Using this backdoor, an attacker can perform the following actions on an affected machine:
remove itself
join another IRC channel
download and execute arbitrary files
spread via instant messaging programs
send arbitrary files via instant messaging programs
When the attacker orders the worm to send an arbitrary file via an instant messaging program, they must provide all of the parameters used when spreading, plus a fourth:
Modifies hosts file
Slenfbot.AJM replaces <system folder>\drivers\etc\hosts with a file that contains the following:
# Copyright (c) 1993-2010 Microsoft Corp.
#
# This is a sample HOSTS file used by the Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
This text is followed by 90 blank lines, presumably to make the file appear empty on casual inspection. After the blank lines it writes several entries to direct the following anti-virus and security related domains to a random IP address, and therefore block access to the domains. These are interspersed with comment lines beginning with # and containing a large amount of random data.
13iii.com
acs.pandasoftware.com
acs.pandasoftware.com
ad-aware-se.uptodown.com
ad.harrenmedianetwork.com
ad13.geekstogo.com
aknow.prevx.com
alerta-antivirus.inteco.es
alerta-antivirus.inteco.es
alerta-antivirus.red.es
alfrasha.maktoob.com
andymanchesta.com
andymanchesta.com
anggiawan.web.id
angui123.cn
answers.yahoo.com
anti-virus-software-review.toptenreviews.com
antitrick.com
antonbi.web.id
ar.answers.yahoo.com
ariefew.com
artsoftdesign.com
atazita.blogspot.com
avast-home.uptodown.com
avg.vo.llnwd.net
ba-k.com
baike.360.cn
baike.360.com
banes-pages.blogspot.com
bb1.th3kings.net
bbs.360safe.cn
bbs.360safe.cn
bbs.360safe.com
bbs.360safe.com
bbs.cfan.com.cn
bbs.duba.net
bbs.ikaka.com
bbs.kafan.cn
bbs.kafan.com
bbs.kaspersky.com.cn
bbs.kpfans.com
bbs.s-sos.net
bbs.taisha.org
bbs.winzheng.com
beniono.wordpress.com
beta.eset.com
bisnismudahsaja.blogspot.com
blog.hispasec.com
blog.rnsafe.com
blog.threatfire.com
blogs.icerocket.com
blokvesti.net
board.protecus.de
board.softpedia.com
boardreader.com
bokwer.com
bub.th3kings.net
ca.answers.yahoo.com
cairopt.net
cairopt.net
cert.inteco.es
changelog.fr
cit.kookmin.ac.kr
club.myce.com
cmmings.cn
codehard.wordpress.com
cofradia.org
community.mcafee.com
community.norton.com
community.thaiware.com
community.thaiware.com
comprolive.com
comprolive.vox.com
computadoras.migold.com
comunidad.wilkinsonpc.com.co
customer.symantec.com
danielorza.net
darkzone.in.th
debates.motos.net
deckard.geekstogo.com
destavision-forum.com
devbuilds.kaspersky-labs.com
devirusare.com
diamondcs.com.au
discussions.virtualdr.com
dl.360safe.com
dl2.agnitum.com
dlpe.antivir.com
dnl-eu8.kaspersky-labs.com
down.360safe.cn
down.360safe.com
down.www.kingsoft.com
download.bleepingcomputer.com
download.bleepingcomputer.com
download.eset.com
download.f-secure.com
download.mcafee.com
download.microsoft.com
download.nai.com
download.sysinternals.com
download.zonealarm.com
downloads.andymanchesta.com
downloads.malwarebytes.org
downloads.novirusthanks.org
downloads.sophos.com
dr-web-cureit.softonic.com
egavisa.blogspot.com
es.answers.yahoo.com
es.answers.yahoo.com
es.kioskea.net
es.kioskea.net
es.mcafee.com
es.trendmicro-europe.com
es.wasalive.com
es.wasalive.com
esetnod32antivirus.blogspot.com
espanol.answers.yahoo.com
espanol.dir.groups.yahoo.com
espanol.groups.yahoo.com
fgp.e2doo.com
fgsite.com
file.ikaka.cn
file.ikaka.com
files.filefont.com
fineartschance.com
fixmyim.com
foro.el-hacker.com
foro.elhacker.net
foro.elhacker.net
foro.ethek.com
foro.infiernohacker.com
foro.msgpluslive.es
foro.noticias3d.com
foro.portalhacker.net
foros.3dgames.com.ar
foros.abcdatos.com
foros.mcanime.net
foros.softonic.com
foros.softonic.com
foros.toxico-pc.com
foros.zonavirus.com
forospyware.com
forum.aiutamici.com
forum.antivir-pe.de
forum.antivirus365.net
forum.avast.com
forum.avira.com
forum.avira.de
forum.bullguard.com
forum.bullguard.com
forum.burek.com
forum.chip.de
forum.clubedohardware.com.br
forum.clubedohardware.com.br
forum.dobreprogramy.pl
forum.drweb.com
forum.gsmhosting.com
forum.hardware.fr
forum.hijackthis.de
forum.hocit.com
forum.hocit.com
forum.kaspersky.com
forum.kaspersky.com
forum.kasperskyclub.com
forum.lowyat.net
forum.lrytas.lt
forum.malekal.com
forum.p30world.com
forum.piriform.com
forum.programosy.pl
forum.romeonet.ro
forum.securitycadets.com
forum.skype.com
forum.smadav.net
forum.smadav.net
forum.smadav.net
forum.softpedia.com
forum.swzone.it
forum.sysinternals.com
forum.telecharger.01net.com
forum.telecharger.01net.com
forum.torrents.ro
forum.tweaks.com
forum.zazana.com
forum.zebulon.fr
forums.afterdawn.com
forums.avg.com
forums.cnet.com
forums.comodo.com
forums.devshed.com
forums.eternion-wow.com
forums.maddoktor2.com
forums.malwarebytes.org
forums.overclockzone.com
forums.techguy.org
forums.techguy.org
forums.whatthetech.com
forums.whatthetech.com
forums.zonealarm.com
free.antivirus.com
free.avg.com
front.prevx.com
ftp.drweb.com
ftp.drweb.com
ftp.drweb.com
ftp.f-secure.com
ftp.pcpitstop.com
ftp01net.telechargement.fr
golpe.dyndns.org
gotoknow.org
greatis.com
gulaley.blogspot.com
guru.avg.com
guru0.grisoft.cz
guru1.grisoft.cz
guru2.grisoft.cz
guru3.grisoft.cz
guru4.grisoft.cz
guru5.grisoft.cz
hana-ahmad.blogspot.com
harrenmedianetwork.com
heavenward.ru
hi.baidu.com
hijackthis.download3000.com
hjt-data.trend-braintree.com
hjt.networktechs.com
housecall.trendmicro.com
housecall65.trendmicro.com
images.malwareremoval.com
in.answers.yahoo.com
info.prevx.com
inspiresoft.blogspot.com
irc.ekizmedia.com
irc.evoporn.com
irc.snahosting.net
it.answers.yahoo.com
justfane.blogspot.com
k2r.th3kings.net
kaba.360.cn
kaba.360.com
kaspersky.com
kb.eset.com
kr.ahnlab.com
ladooscuro.es
lexikon.ikarus.at
linhadefensiva.uol.com.br
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
lurker.clamav.net
mailcenter.rising.com
mailcenter.rising.com.cn
majorgeeks.com
malekal.com
malwarebytes-anti-malware.softonic.com
malwarebytes.org
mast.mcafee.com
melcy.wordpress.com
mks.com.pl
modelayu.com
msncleaner.softonic.com
msnfix.changelog.fr
msntubers.freehostia.com
mustlovewine.com
mvps.org
mx.answers.yahoo.com
mx.answers.yahoo.com
mx.answers.yahoo.com
myantispyware.com
new.taringa.net
news.support.veritas.com
nitroamd.spaces.live.com
nod32-antivirus.en.softonic.co
ntfaq.co.kr
oldtimer.geekstogo.com
onecare.live.com
oolbar.cyberdefender.com
ot-indo.blogspot.com
p3dev.taringa.net
pastebin.com
pcvids.wordpress.com
pogonyuto.forospanish.com
poolcoversite.com
positiveroot.wordpress.com
psychoski.blogspot.com
quickscan.bitdefender.com
rareartonline.com
regfixerror.pctools.revenuewire.net
research.pandasecurity.com
research.sunbelt-software.com
rootrepeal.googlepages.com
rootrepeal.psikotick.com
sabithpocker.blogspot.com
safecomputing.umn.edu
samroeng.hi5.com
sapcupgrades.com
scanner.virus.org
search.mcafee.com
secubox.aldria.com
secunia.com
secure.sophos.com
security.symantec.com
securityresponse.symantec.com
securitywonks.net
service1.symantec.com
sf.tapuz.co.il
share.skype.com
share.skype.com
shield.prevx.com
shitit.net
shop.symantecstore.com
shv4.ath.cx
simplyrudz.blogspot.com
sip4.voipkosovasite.com
sis-admin.blogspot.com
smadaver.com
sniff.runescapetube.com
social.answers.microsoft.com
social.microsoft.com
software-files.download.com
softwaresecuritysolutions.com
solit.us
somostuyyounnuevodiaoficial.obolog.com
sophos.com
sopiansantosa.blogspot.com
sosvirus.changelog.fr
sosvirus.changelog.fr
spywarefiles.prevx.com
spywarehammer.com
static.commentcamarche.net
stdio-labs.blogspot.com
store.norton.com
story.dnsentrymx.com
subs.geekstogo.com
support.emsisoft.com
support.f-secure.com
support.kaspersky.com
swandog46.geekstogo.com
tech.pantip.com
tech.pantip.com
thaicert.nectec.or.th
thailand.itmylike.com
thedudesemo.blogspot.com
thejokerx.blogspot.com
topsy.com
trbotnet.sytes.net
trialware.norton.com
uk.answers.yahoo.com
universomanualidades.foroactivo.com
update.360safe.cn
update.360safe.com
update.symantec.com
updatem.360safe.cn
updatem.360safe.com
upload.changelog.fr
us.mcafee.com
us3.download.comodo.com
us4.download.comodo.com
usa.kaspersky.com
v.dreamwiz.com
vaksin.com
vil.nai.com
vil.nail.com
virscan.org
virusinfo.info
virusinfo.prevx.com
wakoopa.com
wap.elakiri.com
wasteland-bg.com
wenwen.soso.com
whois.domaintools.com
www.2-spyware.com
www.247fixes.com
www.360.cn
www.360.com
www.360safe.cn
www.360safe.com
www.365groups.com
www.4-gsmteam.com
www.51nb.com
www.abgenis.net
www.alabamawomen.org
www.analysis.seclab.tuwien.ac.at
www.antirootkit.com
www.antivir.es
www.antivirus.about.com
www.antivirus.comodo.com
www.arenajunkies.com
www.arswp.com
www.askmehelpdesk.com
www.auditmypc.com
www.avast.com
www.avg-antivirus.net
www.avira.com
www.avp.com
www.avpclub.ddns.info
www.avsoft.ru
www.babooforum.com.br
www.bakunos.com
www.betterantivirus.com
www.bitdefender.com
www.bitdefender.es
www.bleedingthreats.net
www.bleepingcomputer.com
www.blindedbytech.com
www.blogschapines.com
www.bloodzone.net
www.box.net
www.ca.com
www.carigold.com
www.castlecops.com
www.castlecrops.com
www.cddchiangmai.net
www.cddchiangmai.net
www.cfan.com.cn
www.changedetection.com
www.chkrootkit.org
www.cisrt.org
www.clamav.net
www.clamwin.com
www.clubic.com
www.codelain.com
www.com-th.net
www.commentcamarche.net
www.commentcamarche.net
www.computerforum.com
www.computerhilfen.de
www.computing.net
www.configurarequipos.com
www.configurarequipos.com
www.corozilla.net
www.cwsandbox.org
www.cyberdefender.com
www.cybertechhelp.com
www.daboweb.com
www.daniweb.com
www.darkclockers.com
www.dazhizhu.cn
www.decido.de
www.devirusare.com
www.dicasweb.com.br
www.dl4all.com
www.dl4all.com
www.dougknox.com
www.downtr.net
www.drweb.com.es
www.duba.net
www.eeload.com
www.el-hacker.com
www.elakiri.com
www.elektroda.pl
www.elguruinformatico.com
www.elhacker.org
www.elitepvpers.de
www.eliters.com
www.emsisoft.com
www.emsisoft.de
www.eradicatespyware.net
www.eset-la.com
www.eset.com
www.eset.com
www.eset.eu
www.eudict.com
www.ewido.net
www.ewido.net
www.experts-exchange.com
www.f-prot.com
www.f-secure.com
www.faravirusi.com
www.feedage.com
www.file.net
www.fileresearchcenter.com
www.final4ever.com
www.firewallguide.com
www.fixya.com
www.forofantasiasmiguel.com
www.forospanish.com
www.forospyware.com
www.forospyware.es
www.forospyware.es
www.fortiguardcenter.com
www.fortinet.com
www.forum.kaspersky.com
www.forums.majorgeeks.com
www.free-av.com
www.free.avg.com
www.free.grisoft.com
www.freedrweb.com
www.freefixer.com
www.freespywareremoval.info
www.freshwap.net
www.ftw.ro
www.funkytoad.com
www.futurenow.bitdefender.com
www.gamexeon.com
www.geekpolice.net
www.geekstogo.com
www.geekstogo.com
www.gmer.net
www.greatis.com
www.grisoft.com
www.groupwhere.org
www.gsmph.com
www.gsmph.net
www.guiadohardware.net
www.guiadohardware.net
www.gyakorikerdesek.hu
www.gyakorikerdesek.hu
www.hijackthis.de
www.hijackthis.de
www.hotshare.net
www.housecall.trendmicro.com
www.housecall.trendmicro.com
www.huaifai.go.th
www.hvaonline.net
www.identi.es
www.ikaka.cn
www.ikaka.com
www.ikarus.net
www.incodesolutions.com
www.incodesolutions.com
www.indowebster.web.id
www.infos-du-net.com
www.infosecpodcast.com
www.infospyware.com
www.ipaddresser.com
www.ixtorrent.com
www.ixtorrent.com
www.jackbloodforum.com
www.javacoolsoftware.com
www.javacoolsoftware.net
www.jbtalks.cc
www.jiwang.org
www.judj.com
www.jvme.com
www.k7computing.com
www.kaldata.com
www.kaskus.us
www.kaspersky-labs.com
www.kaspersky.com
www.kaspersky.es
www.killtrojan.net
www.kosandpol.elakiri.com
www.krupunmai.com
www.kztechs.com
www.laneros.com
www.latest-virus.com
www.lavasoft.com
www.leforo.com
www.linhadefensiva.org
www.linkmania.ro
www.looktr.com
www.malekal.com
www.malwarebytes.org
www.malwarecrypt.com
www.malwareremoval.com
www.manuelruvalcaba.com
www.manuelruvalcaba.com
www.mcafee.com
www.mcanime.net
www.Merijn.org
www.messengeradictos.com
www.misec.net
www.mostz.com
www.mozilla-hispano.org
www.msnvirusremoval.com
www.mvps.org
www.mxttchina.com
www.mycity.rs
www.mypcsafe.com
www.mypcsafe.com
www.nabble.com
www.net-security.org
www.networkworld.com
www.nhatnghe.com
www.norman.com
www.offensivecomputing.net
www.onlinescan.avast.com
www.oprekpc.com
www.oprekpc.com
www.ozzu.com
www.pandasecurity.com
www.pandasecurity.com
www.pandasecurity.com
www.pantip.com
www.pc1news.com
www.pcentraide.com
www.pcentraide.com
www.pcguide.com
www.pchell.com
www.pchelpforum.com
www.pcsupportadvisor.com
www.pctools.com
www.pcwelt.de
www.pcworld.com
www.personal.psu.edu
www.personalfirewall.comodo.com
www.pinoyden.com
www.pinoyhackers.com
www.pinoytambaygroup.com
www.precisesecurity.com
www.prevx.com
www.protecus.de
www.psicofxp.com
www.quickheal.co.in
www.raymond.cc
www.regrun.com
www.resplendence.com
www.rising.com
www.rising.com.cn
www.rolandovera.com
www.rootkit.com
www.rootkit.nl
www.rss-verzeichnis.de
www.runscanner.net
www.safer-networking.org
www.sandboxie.com
www.securitynewsportal.com
www.securitystronghold.com
www.securitywonks.net
www.sergiwa.com
www.shitit.net
www.siteadvisor.com
www.smokey-services.eu
www.soccersuck.com
www.softonic.com
www.sophos.com
www.spamhaus.org
www.spyany.com
www.spybot.info
www.spybotupdates.com
www.spychecker.com
www.spywarecease.com
www.spywaredb.com
www.spywaredemon.com
www.spywarefri.dk
www.spywareinfo.com
www.spywareremovalblog.com
www.spywareterminator.com
www.sunbeltsecurity.com
www.sunbeltsoftware.com
www.superadblocker.com
www.superantispyware.com
www.superdicas.com.br
www.superdicas.com.br
www.superuser.co.kr
www.symantec.com
www.sysinternals.com
www.sz-pet.com
www.tallemu.com
www.tanya-it.com
www.taringa.net
www.taringa.net
www.techimo.com
www.techspot.com
www.techsupportforum.com
www.techsupportforum.com
www.tecno-soft.com
www.thaicert.org
www.thailandsusu.com
www.thaivisa.com
www.thecomputerpitstop.com
www.thehelper.net
www.thetechguide.com
www.thinkpad.cn
www.threatexpert.com
www.threatexpert.com
www.tongjimba.com
www.tpu.ro
www.trendmicro.com
www.trendsecure.com
www.trendsecure.com
www.trojaner-board.de
www.trucoswindows.es
www.trucoswindows.net
www.tweaksforgeeks.com
www.ulop.net
www.unhackme.com
www.usbcleaner.cn
www.utilidades-utiles.com
www.utilidades-utiles.com
www.velocidadmaxima.com
www.vietcaravan.us
www.viprasys.org
www.virscan.org
www.virus-com.com
www.viruschief.com
www.virusdoctor.jp
www.viruslist.com
www.virusspy.com
www.virusspy.com
www.virustotal.com
www.vivalared.com
www.vsantivirus.com
www.vupen.com
www.webimmune.net
www.webphand.com
www.webroot.com
www.whatthetech.com
www.wikio.es
www.wilderssecurity.com
www.winbots.es
www.windowexe.com
www.windowexe.com
www.worton.com
www.xmarks.com
www.yoreparo.com
www.ziggamza.net
www.zonavirus.com
www.zonavirus.com
www.zonavirus.com
www.zone-it.com
www.zonealarm.com
www.zonealarm.com
www.zyzoom.org
www2.gmer.net
www3.malekal.com
wwww.experts-exchange.com
wwww.mcafee.com
x.360safe.com
yourartmuseum.com
z-oleg.com
zastita.com
zastita.com
zenovy.com
zhidao.baidu.com
zhidao.ikaka.com
zone.arminboutique.com
Deletes files
Slenfbot.AJM deletes files with a .dxt extension from the %appdata% directory.
Modifies system settings
Slenfbot.AJM makes the following registry modifications:
Under key: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
Sets value: "DisableConfig"
With data: "1"
Under key: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4"
Under key: HKLM\Software\PoliciesMicrosoft\MRT
Sets value: "DontReportInfectionInformation"
With data: "1"
Under subkey: HKLM\Software\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1"
Sets value: "AntiVirusDisableNotify"
With data: "1"
Sets value: "\FirewallOverride"
With data: "1"
Sets value: "FirewallDisableNotify"
With data: "1"
Under subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Sets value: "CheckedValue"
With data: "1"
Under subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "2"
It attempts to disable Data Execution Prevention by adding the following modification:
Sets value: “<system folder>\wmipsvtm.exe”
With data: “DisableNXShowUI”
Under key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
It attempts to give itself access through the Windows Firewall by making the following changes:
Under key: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Adds value: "C:\WINDOWS\system32\wmipsvtm.exe"
With Data: "C:\WINDOWS\system32\wmipsvtm.exe:*:Enabled:LAN Router"
Under key: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Adds value: "\C:\WINDOWS\system32\wmipsvtm.exe"
With Data: "C:\WINDOWS\system32\wmipsvtm.exe:*:Enabled:LAN Router"
It periodically rewrites these changes in order to ensure that they have not been removed.
Terminates processes
Slenfbot.AJM may terminate the following processes on an affected machine:
DLLHOSTS.EXE
SUPERANTISPYWARE.EXE
AMPAWSMASHERX.EXE
SMSNIFF.EXE
SMASH1.EXE
SMASH2.EXE
SMASH3.EXE
SMASH4.EXE
SMASH5.EXE
SMASH6.EXE
SMASH7.EXE
SMASH.EXE
NETMON.EXE
PREVXCSIFREE.EXE
PREVX.EXE
WINDOWSDEFENDER.MSI
EAV_NT32_ENU.MSI
EAV_NT64_ENU.MSI
AVIRA_ANTIVIR_PERSONAL_EN.EXE
AVG_AVWT_STB_EN_9_40_FREE.EXE
ESCW_90_SA_SFX.EXE
SETUP_AV_FREE.EXE
DRWEB-600-WIN-PRO-X86.EXE
BITDEFENDER_ANTIVIRUS.EXE
SECCENTER.EXE
NS360S300EN
AVENGER.EXE
NAV-TW-30-17-1-0-19TBEN.EXE
ATF-CLEANER.EXE
OTM.EXE
REGSHOT.EXE
MSMPENG.EXE
MSASCUI.EXE
GUARDXKICKOFF.EXE
GUARDXSERVICE.EXE
VIRUSUTILITIES.EXE
VBA32-PERSONAL-LATEST-ENGLISH.EXE
TrendMicro_TISPro_16.1_1063_x32.EXE
PROCMON.EXE
WITSETUP.EXE
AVINSTALL.EXE
K7TS_SETUP.EXE
P08PROMO.EXE
ISSDM_EN_32.EXE
VIPRE.EXE
UNLOCKER.EXE
UNLOCKERASSISTANT.EXE
UNLOCKER1.8.7.EXE
REGUNLOCKER.EXE
COMPAQ_PROPIETARIO.EXE
ATF-CLEANER.EXE
SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE
VIRUS.EXE
HIJACK-THIS.EXE
MRT.EXE
MRTSTUB.EXE
WINDOWS-KB890930-V2.2.EXE
HJ.EXE
ELISTA.EXE
PENCLEAN.EXE
MBAM-SETUP.EXE
MBAM.EXE
AVZ.EXE
JAJA.EXE
OTMOVEIT.EXEMBAM-SETUP.EXE
REGMON.EXE
COMBO-FIX.EXE
COMBOFIX.BAT
COMBOFIX.SCR
COMBOFIX.COM
NTVDM.EXE
GUARD.EXE
LISTO.EXE
TCPVIEW.EXE
REGEDIT.COM
REGEDIT.SCR
FOLDERCURE.EXE
KILLAUTOPLUS.EXE
MYPHOTOKILLER.EXE
REG.EXE
TASKKILL.EXE
AUTORUNS.EXE
SRENGPS.EXE
COMBOFIX.EXE
SDFIX.EXE
CATCHME.EXE
GMER.EXE
MBR.EXE
CF9409.EXE
REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE
SUPERANTISPYWARE.EXE
BOOTSAFE.EXE
SRESTORE.EXE
MSNCLEANER.EXE
BUSCAREG.EXE
KAKASETUPV6.EXE
SUPERKILLER.EXE
DUBATOOL_AV_KILLER.EXE
DELAYDELFILE.EXE
SEEM.EXE
BC5CA6A.EXE
ROOTALYZER.EXE
ROOTKITBUSTER.EXE
HELIOS.EXE
DARKSPY105.EXE
HOOKANLZ.EXE
PAVARK.EXE
SRENGLDR.EXE
APORTS.EXE
FPORT.EXE
PORTDETECTIVE.EXE
PORTMONITOR.EXE
NETSTAT.EXE
OLLYDBG.EXE
HJTINSTALL.EXE
HJTSETUP.EXE
HIJACKTHIS_SFX.EXE
HIJACKTHIS.EXE
HIJACKTHIS_V2.EXE
MSNFIX.EXE
PROCEXP.EXE
TASKMAN.EXE
TASKLIST.EXE
TASKMON.EXE
PSKILL.EXE
ROOTKITREVEALER.EXE
FSBL.EXE
FSB.EXE
AVGARKT.EXE
ROOTKIT_DETECTIVE.EXE
UNHACKME.EXE
HACKMON.EXE
RKD.EXE
ROOTKITNO.EXE
REANIMATOR.EXE
HOOKANLZ.EXE
ROOTREPEAL.EXE
ICESWORD.EXE
LORDPE.EXE
PG2.EXE
PROCDUMP.EXE
PROCESSMONITOR.EXE
SPYBOTSD160.EXE
TEATIMER.EXE
SPYBOTSD.EXE
WIRESHARK.EXE
APM.EXE
APT.EXE
ASVIEWER.EXE
CPORTS.EXE
CPROCESS.EXE
DLLCOMPARE.EXE
A2HIJACKFREESETUP.EXE
EULALYZERSETUP.EXE
FILEALYZ.EXE
FILEFIND.EXE
FIXPATH.EXE
HOSTSFILEREADER.EXE
IEFIX.EXE
AVENGER.EXE
INSTALLWATCHPRO25.EXE
KILLBOX.EXE
NETALYZ.EXE
OBJMONSETUP.EXE
PGSETUP.EXE
FIXBAGLE.EXE
CUREIT.EXE
PROCMON.EXE
PROJECTWHOISINSTALLER.EXE
REGALYZ.EXE
REGCOOL.EXE
REGISTRAR_LITE.EXE
REGSCANNER.EXE
REGSHOT.EXE
REGX2.EXE
SPF.EXE
SRENGLDR.EXE
STARTDRECK.EXE
SYSANALYZER_SETUP.EXE
UNIEXTRACT.EXE
UNLOCKER1.8.7.EXE
RAVP.EXE
MBAM.EXE
USBGUARD.EXE
AVZ.EXE
OTL.EXE
CPF.EXE
ZLCLIENT.EXE
123.COM
123.EXE
Deletes services
The worm uses the net stop, sc stop, sc config, and sc delete commands to stop, disable, and delete the following services:
CSIScanner
MsMpSvc
K7RTScan
K7TSMngr
avast! Antivirus
AntiVirService
PASRV
VSSERV
avg8wd
avg9wd
NOD32krn
ekrn
McShield
OutpostFirewall
TmPfw
KPF4
SmcService
cmdAgent
vsmon
SbPF.Launcher
SPF4
acssrv
SAVService
SAVAdminService
Sophos AutoUpdate Service
Sophos Client Firewall
Sophos Client Firewall Manager
Uses stealth
Slenfbot.AJM also attempts to hide its process from Task Manager and other process monitoring tools.
Analysis by David Wood
