Installation
The worm may arrive on your computer as "ipz.tmp". It is moved to the folder "%systemroot%\system32" and is renamed as "ipz.exe".
Note: %SystemRoot% refers to a variable location that is determined by the malware by querying the operating system. The default location for the SystemRoot folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Windows".
It creates the following registry entries so that it automatically runs as a service:
In subkey: HKLM\System\CurrentControlSet\Services\ipz
Sets value: "DisplayName"
With data: "Intelligent p2p zombie"
It uses the service name "IPZ".
Spreads via...
Radmin program
Worm:Win32/Zombaque.A checks if other computers in the network have TCP port 4899 open, which may indicate that these are accessible using Radmin. It tries to connect to these computers using a combination of certain user names and passwords, and copies itself to these computers if it successfully connects.
The worm uses a number of user names and passwords in its attempt to gain access to the computers using Radmin; please see the Additional information section below for a list of user names and passwords it uses.
It drops a copy of itself in these accessible computers as "ipz.tmp", which, similar to its Installation method, is moved and renamed and run as a service.
Payload
Joins a botnet
Worm:Win32/Zombaque.A turns your computer into a node in a botnet, which is composed of other computers also infected with Worm:Win32/Zombaque.A. It communicates with these computers through TCP port 310 to perform commands sent by a remote attacker. A remote attacker may choose to do any of the following:
- Download and run arbitrary files
- Upload data taken from an infected computer
Additional information
This worm has the following command line options:
- --install - installs this worm and creates a service named "IPZ"
- --remove - removes this worm and deletes the service
- --log - logs events that happen on the computer
- --service - runs the worm payload
The following are some examples of user names and passwords the worm uses to gain access to other computers:
| Usernames: |
|
- 1
- 111111
- 123
- 123456
- a
- admin
- Admin
- administrator
- Administrator
- billgates
|
- computer
- host
- internet
- login
- microsoft
- q
- radmin
- skynet
- User
- user
|
Analysis by Daniel Chipiristeanu
