Worm:Win32/Slenfbot.AU is a worm that can spread via MSN Messenger. The worm also contains backdoor functionality that allows unauthorized access to an affected machine. This worm does not spread automatically upon installation, but must be ordered to spread by a remote attacker.
Installation
When executed, Worm:Win32/Slenfbot.AU copies itself to the <system folder> as "wnpmcs.exe" and sets the attributes for this copy to read only, hidden and system. It modifies the registry to run this copy at each Windows start:
Adds value: "Windows Remote Launcher"
With data: "wnpmcs.exe"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The worm makes a further registry modification that causes the copy of the worm that was executed originally to be deleted when the system restarts:
Sets value: "PendingFileRenameOperations"
With data: "<original malware executable>"
Under key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
However, it also runs "cmd.exe /c del <original malware executable> nul" to immediately delete the original copy of the worm.
Spreads Via…
MSN Messenger
This worm can be ordered to spread via Messenger by a remote attacker using the worm's backdoor functionality (see Payload below for additional detail). When the attacker orders the worm to spread via MSN Messenger, they must provide the following three parameters:
-
A URL containing a list of possible messages to send, along with the worm itself, to MSN Messenger contacts. The worm chooses from this list at random.
-
A file name for a ZIP archive. The worm creates a ZIP archive containing a copy of itself in the temporary folder with this name. The worm sends this ZIP archive to MSN Messenger contacts.
-
A file name for the worm's executable inside the ZIP archive.
Payload
Backdoor Functionality: TCP Port 9058
Slenfbot.AU attempts to connect to an IRC server at pool.hybridtx.com via TCP port 9058, join a channel and wait for commands. Using this backdoor, an attacker can perform the following actions on an affected machine:
When the attacker orders the worm to send an arbitrary file via MSN Messenger, they must provide all of the parameters used when spreading via Messenger, plus a fourth: