Worm:Win32/Slenfbot.gen!D is the generic detection for a worm that spreads via removable drives and instant messaging programs. It may also modify the computer's firewall settings and security settings. It can also terminate and/or stop certain antivirus processes, contact a remote server, flush the DNS cache, and allow backdoor access and control.
Installation
When executed, Worm:Win32/Slenfbot.gen!D drops a copy of itself in the Windows system folder using a variety of file names. It then executes its copy and deletes itself.
Some of the file names the copy in the Windows system folder has been known to use are:
- wcoredk.exe
- wmiptsd.exe
- wcoredn.exe
It creates a mutex named "Mut3x" and opens a mutex named "send".
To ensure that it automatically runs every time Windows starts, Worm:Win32/Slenfbot.gen!D creates the following registry entries:
Adds value: "conime.exe"
With data: "conime.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "Debugger"
With data: "<malware file name>"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe
The file "conime.exe" is the IME proxy process for the Windows Server 2003 console. This ensures that when the legitimate Windows file "conime.exe" is run at every Windows start, the malware file is also run.
Spreads via…
Removable drives
Worm:Win32/Slenfbot.gen!D spreads by copying itself to all available removable drives. Its copy in the removable drive has various names. It also creates an "autorun.inf" file to allow its copy to automatically run when the drive is accessed and Autorun is enabled.
Instant messaging programs
Worm:Win32/Slenfbot.gen!D sends links to copies of itself to a user's contacts in certain instant messaging programs, such as "MSN Messenger".
Payload
Modifies firewall settings
Worm:Win32/Slenfbot.gen!D modifies the Windows firewall settings to allow itself to bypass the firewall:
Adds value: "<malware file name>"
WIth data: "<malware file name> :*:enabled:lan router"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Adds value: "<malware file name>"
WIth data: "<malware file name> :*:enabled:lan router"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Modifies system security settings
Worm:Win32/Slenfbot.gen!D attempts to bypass DEP ("Data Execution Prevention") in Windows by creating the following registry entry:
Adds value: "<malware file name>"
With data: "disablenxshowui"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Terminates processes
Some samples of Worm:Win32/Slenfbot.gen!D attempt to terminate antivirus and analysis programs, such as the following:
- msrt.exe
- msmpeng.exe
- lordpe.exe
- procdump.exe
- processmonitor.exe
- taskmon.exe
Some samples of Worm:Win32/Slenfbot.gen!D have also been known to prevent certain antivirus programs from running, such as the following:
K7RTScan
K7TSMngr
avast! Antivirus
VSServ
Allows backdoor access and control
Worm:Win32/Slenfbot.gen!D attempts to connect to an IRC channel, possibly to allow backdoor access and control. It is known to connect to the following IRC servers:
- ns28.sup3rb0x4you.co.uk
- ns118.l1v3h0st4all61.me.uk
using various ports, such as 5213 and 41040.
Connects to a remote server
Worm:Win32/Slenfbot.gen!D tries to download an updated version of itself from a certain remote server. Some of the servers it is known to connect to are the following:
- secure.ultrah0stint24.org.uk
- upd.messenger-update.ru
Flushes DNS cache
Worm:Win32/Slenfbot.gen!D flushes the DNS cache by running the following command:
ipconfig /flushdns
Analysis by Daniel Radu
