Follow:

 

Worm:Win32/Slenfbot.ALJ


Worm:Win32/Slenfbot.ALJ is a worm that can spread via removable and network drives, or by exploiting the MS06-040 vulnerability.

This worm spreads automatically via shares, but must be ordered to spread via an exploit or IRC-like commands by a remote attacker. The worm also contains backdoor functionality that allows unauthorized access to an affected computer.

Worm:Win32/Slenfbot.ALJ is a member of the Win32/Slenfbot family of worms.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Update vulnerable applications

This threat exploits the vulnerability MS06-040 in Windows 2000XP and Server 2003. After removing this threat, make sure that you install the updates available from Microsoft. You can read more about the vulnerability, as well as where to download the software update, at Microsoft Security Bulletin MS06-040.

Recovering from recurring infections on a network

The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:

  1. Ensure that an antivirus product is installed on ALL computers connected to the network that can access or host shares.
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
  4. Remove any unnecessary network shares or mapped drives.

Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.

Disable Autorun functionality

This threat attempts to spread via removable drives on computers that support Autorun functionality. This is a particularly common method of spreading for many current malware families. For information on disabling Autorun functionality, please see the following article:
http://support.microsoft.com/kb/967715/

Additional remediation instructions for Worm:Win32/Slenfbot.ALJ

This threat may make lasting changes to a computer's configuration that are not restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following articles:

Threat behavior

Worm:Win32/Slenfbot.ALJ is a worm that can spread via removable and network drives, or by exploiting the MS06-040 vulnerability.

This worm spreads automatically via shares, but must be ordered to spread via an exploit or IRC-like commands by a remote attacker. The worm also contains backdoor functionality that allows unauthorized access to an affected computer.

Worm:Win32/Slenfbot.ALJ is a member of the Win32/Slenfbot family of worms.


Installation

When run, Worm:Win32/Slenfbot.ALJ may copy itself to "<system folder>\wmpnv32.exe"

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".

Worm:Win32/Slenfbot.ALJ modifies the following registry entries to ensure that its copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Media iControl"
With data: "<malware path and filename>", for example "C:\WINDOWS\system32\wmpnv32.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Media iControl"
With data: "<malware path and filename>"

Spreads via...

Removable and network drives

Worm:Win32/Slenfbot.ALJ may attempt to spread via removable and network drives, except drives A: and B:. It does this by creating a directory called "RECYCLER" in the root of the removable drive. The worm copies itself into this directory, with a file name such as the following:

  • chgservice.exe
  • cmmon32.exe
  • drive32.exe
  • ecleaner.exe
  • iexplorer.exe
  • msvmiode.exe
  • nxqd.exe
  • rvhost.exe
  • serivces.exe
  • servicers.exe
  • svchos.exe
  • undmgr.exe
  • uninstall.exe
  • usbmngr.exe
  • woot.exe
  • wudfhost.exe
  • zaberg.exe

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.

The worm changes the attributes of all files and folders in the newly created "RECYCLER" folder to "hidden" and "system".

Note: This worm was observed to write an executable and create an autorun.inf file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally used to spread malware from computer to computer.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.

Windows vulnerability exploit

Worm:Win32/Slenfbot.ALJ may attempt to spread by exploiting the MS06-040 vulnerability that affects Windows software. This is a vulnerability that allows remote code execution.

Payload

Backdoor access and control

Worm:Win32/Slenfbot.ALJ attempts to connect to an IRC server at "66.97.132.78" via a random TCP port, join a channel and wait for commands. Using this backdoor, an attacker can perform the following actions on your computer:

  • Join another IRC channel
  • Download and execute arbitrary files
  • Visit specified URLs
  • Spread via network shares

Terminates processes

Worm:Win32/Slenfbot.ALJ may terminate some or all of the following security-related processes on your computer:

  • billy.exe
  • cfp.exe
  • hijackthis.exe
  • mrt.exe
  • mrtstub.exe
  • tcpview.exe
  • teatimer.exe
  • usbguard.exe

It may also try to stop security-related services containing the following substrings in their name:

  • acs
  • afwserv.exe
  • ashserv.exe
  • cmdagent
  • ekrn
  • kpf4
  • nod32krn
  • outpost
  • sbpflnch
  • SCFService.exe
  • tmpfw
  • vsmon

Modifies system security settings

Worm:Win32/Slenfbot.ALJ modifies your computer's security by making a number of registry modifications.

It adds itself to the DEP (data execution prevention) exclusion list, allowing it to run without Windows performing certain checks:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Sets value: "<malware path and filename>"
With data: "DisableNXShowUI"

In subkey: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Sets value: "<malware path and filename>"
With data: "DisableNXShowUI"

It adds itself to the Windows Firewall exclusion list:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<malware path and filename>"
With data: "<malware path and filename>:*:Enabled:Windows Media iControl"

In subkey: HKCU\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<malware path and filename>"
With data: "<malware path and filename>:*:Enabled:Windows Media iControl"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Sets value: "<malware path and filename>"
With data: "<malware path and filename>:*:Enabled:Windows Media iControl"

In subkey: HKCU\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Sets value: "<malware path and filename>"
With data: "<malware path and filename>:*:Enabled:Windows Media iControl"

Uses stealth

Worm:Win32/Slenfbot.ALJ also attempts to hide its process from Task Manager and other process monitoring tools.

Analysis by Jireh Sanico


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following file:

    <system folder>\wmpnv32.exe
     
  • The presence of the following files on removable drives:

    RECYCLER\chgservice.exe
    RECYCLER\cmmon32.exe
    RECYCLER\drive32.exe
    RECYCLER\ecleaner.exe
    RECYCLER\iexplorer.exe
    RECYCLER\msvmiode.exe
    RECYCLER\nxqd.exe
    RECYCLER\rvhost.exe
    RECYCLER\serivces.exe
    RECYCLER\servicers.exe
    RECYCLER\svchos.exe
    RECYCLER\undmgr.exe
    RECYCLER\uninstall.exe
    RECYCLER\usbmngr.exe
    RECYCLER\woot.exe
    RECYCLER\wudfhost.exe
    RECYCLER\zaberg.exe

  • The presence of the following registry modifications:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Windows Media iControl"
    With data: "<malware path and filename>", for example "C:\WINDOWS\system32\wmpnv32.exe"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Windows Media iControl"
    With data: "<malware path and filename>"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
    Sets value: "<malware path and filename>"
    With data: "DisableNXShowUI"

    In subkey: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
    Sets value: "<malware path and filename>"
    With data: "DisableNXShowUI"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    Sets value: "<malware path and filename>"
    With data: "<malware path and filename>:*:Enabled:Windows Media iControl"

    In subkey: HKCU\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    Sets value: "<malware path and filename>"
    With data: "<malware path and filename>:*:Enabled:Windows Media iControl"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    Sets value: "<malware path and filename>"
    With data: "<malware path and filename>:*:Enabled:Windows Media iControl"

    In subkey: HKCU\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    Sets value: "<malware path and filename>"
    With data: "<malware path and filename>:*:Enabled:Windows Media iControl"


Prevention


Alert level: Severe
First detected by definition: 1.131.132.0
Latest detected by definition: 1.203.984.0 and higher
First detected on: Jul 18, 2012
This entry was first published on: Jul 18, 2012
This entry was updated on: Sep 19, 2012

This threat is also detected as:
  • TR/Jorik.CB (Avira)
  • TROJ_SPNR.19HH12 (Trend Micro)
  • Trojan.Slenfbot!CWAv87o1cjE (VirusBuster)
  • Trojan.Win32.Jorik (Ikarus)
  • Trojan.Win32.Jorik.Slenfbot.axk (Kaspersky)
  • Win32/Slenfbot.AD (ESET)