Worm:Win32/Slenping.B

Worm:Win32/Slenping is a worm that can spread via MSN Messenger. The worm also contains backdoor functionality that allows unauthorized access to an affected machine.

When executed, Worm:Win32/Slenping copies itself to the <system folder> and the current user's "user profile" directory (e.g. c:\documents and settings\<username>) with randomly generated filenames. It sets the "hidden" attribute for the copy in the "user profile" directory.

 

Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.

 

It modifies the registry to run both copies of the worm at each Windows start. For example, it may copy itself to <system folder>\cviouet.exe and <user profile folder>\oal.exe and make the following modifications to the registry:
 
Adds value: "cviouet"
With data: "<system folder>\cviouet.exe \j"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

Set "Userinit" = "<system folder>\userinit.exe,c:\documents and settings\administrator\oal.exe \o", under key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

 

Adds data: ",<user profile folder>\oal.exe \o"
To value: "Userinit"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

 

After installing, the worm executes the copy of itself in the <system folder> with the paramater "\b" and attempts to delete the original copy by creating and running a batch file in the temp folder called removeMe<XXXX>.bat, where <XXXX> is a randomly generated 4 digit number. This batch file continually tries to delete the original worm file, pausing between each attempt by running the command "ping 0.0.0.0>nul".

MSN Messenger
This worm can be ordered to spread via Messenger by a remote attacker using the worm's backdoor functionality (see Payload below for additional detail). When the attacker orders the worm to spread via MSN Messenger, they also provide the content of the messages to be sent. We have observed the worm being spread with file names like "photo1226.jpeg-www.myspace.com" in ZIP archives called "photo.zip".

Backdoor Functionality
Slenping connects to a remote system, usually on TCP port 443, from which it accepts backdoor commands. These include the ability to launch spreading via MSN Messenger and to download and execute arbitrary files.

Win32/Slenping creates a mutex to ensure only one copy runs at a time. For example, Win32/Slenping.A creates a mutex called "_MSBLMutex_".

 

Win32/Slenping is capable of hiding itself so its process is not visible from task manager.