Worm:Win32/Wootbot.EI

Worm:Win32/Wootbot.EI is a worm that includes a backdoor component, which connects to an IRC server and awaits commands from remote attackers. For example, an attacker can send a command to distribute the worm to other computers by exploiting a vulnerability in the Windows service LSASS, described in Microsoft Security Bulletin MS04-011.

Installation

Worm:Win32/Wootbot.EI copies itself as the following:

• <system folder>\svchots.exe

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

It then runs its copy.

It also creates the following registry entries to enable itself to run every time Windows starts:

In subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Sets value: "windows updatess"
With data: "svchots.exe"

Payload

Allows backdoor access and control

Worm:Win32/Wootbot.EI connects to a specific IRC server and channel to receive commands from attackers to take actions such as:

• Get the following system information:
  • Windows product keys
  • Game keys
  • Email addresses from the Windows address book
  • User IDs for AOL and Yahoo! Messenger
• Perform local operations:
  • Run certain files
  • Manipulate files, processes, and services
• Performing network-related operations:
  • Delete shares
  • Download files
  • Redirect network traffic
  • Open an FTP or HTTP server
  • Open an HTTP, SOCKS4, or SOCKS5 proxy server
  • Conduct denial-of-service (DoS) attacks using ICMP, SYN, or UDP flooding
  • Spread to other computers by exploiting vulnerabilities

The vulnerabilities it may use to spread are:

• Windows LSASS vulnerability described in Microsoft Security Bulletin MS04-011
• Vulnerability in the Graphics Rendering Engine described in Microsoft Security Bulletin MS06-001
• Vulnerability in the Windows DNS RPC Interface described in Microsoft Security Bulletin MS07-029

Analysis by Elda Dimakiling