This document describes an initial brief analysis of what we originally believed to be a new variant of the GaoBot, or AgoBot, worm for Microsoft Windows. The analysis was performed by Fortego Security during June 2004.
The AntiVirus software (from a major well-known leading provider) in use by the client which had been infected by this worm did not detect it when using virus definitions of June 7th. We have submitted a sample of this to the AntiVirus vendor for analysis as of June 8th. We have not yet received any answer which confirms nor dismisses our suspicion.
This worm adds these four entries to the Windows registry for automatic startup at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
C:\\WINNT\\System32\\MsDtc\\Driver\\hiddenrun.exe Smss2.exe rand.dll
The program Hiddenrun.exe is by itself not any worm, but it is effectively used to hide the actions of the other programs
from the user.
WinSrv.exe is a mIRC client software and is driven by a script to be a backdoor to the infected computer.
The WinSrv process connects locally through System on sequential TCP ports like e.g. 1765, 1766, 1767, 1768 etc. Then System connects further to the destination IRC server. This "prevents" an analyst from directly seeing what process that is trying to connect to the internet.
The client tries to connect to "bl00d.bl00d.net on the fix IP 184.108.40.206 on port 6384/TPC and the IRC network "irc.wolfpac.org" on port 6667/TCP. The IP address traces back to a network in Vancouver, Canada. The ports are commonly known for e.g. GaoBot. The client uses the password "f1gx8UA/EF6es" and the nicks "fucked" or "bitch" with a number attached. We don't know if the these are static or individual.
WinSrv does also open and listen on ports 59/TCP and 113/TCP (auth) with user ID "rip".
The file NTSrv.EXE is an FTP server and the worm does also contain configuration files for the "Serv-U FTP Server" v4.1 (220.127.116.11). It is configured to use SSL but is unable to load the SSL certificate file SERVUCERT.CRT because it is not included. The FTP Server was listening on port number 6891 and 43958. We have not analyzed if the port numbers are randomized.
The program Smss2.exe appears to be an IRC fileserver.
It does also try to spread itself through shared Windows folders. It uses X-scan v.1.3 and has a built-in list of usernames and passwords, which does also appear to be a little different from known variants of GaoBot.
The files below are relevant for removal of this worm, but we have not yet concluded if it is all that needs to be removed to clean an infected system. They are found in the folder C:\WINNT\System32\MsDtc\Driver\ but might also be copied to other places.
msn.exe in this case is not Microsoft Messenger but rather a program that runs Xscan.exe.
xCmd.exe has been modified from the original in a way that makes it execute commands using hiddenrun.exe and run.bat to hide them from the user. The original xCmd is not any worm nor trojan, but rather like to great tool psexec.
When looking at the registry changes above there are some differences between other variants of GaoBot:
GaoBot.AOL "MS Config v13"="lrbz32.exe"
GaoBot.FO "Configuration Loader"="explore.exe"
GaoBot.ALW "System Service Manager"="norton.exe"
GaoBot.ALV "Bot Loader"="svchostt.exe"
GaoBot.ALU "Windows Security Manager"="%System%\svhost.exe"
GaoBot.ALO "Video Process" = "%System%\sysconf.exe"
GaoBot.AIS "Network Services"="netsvacs.exe"
GaoBot.AJD "Automated Windows Updates"="wauclt.exe"
GaoBot.AJE "System Service Manager"="norton.exe"
Anyone interested in helping us to analyze this is welcome to download it here The package is protected with the password "infected" as common when sending samples to AntiVirus vendors.
On June 23rd we received a confirmation from Symantec. The sample we submitted is classified as an IRC Trojan. With the new virus definitions included below, the following files are now detected. The files are not to be used by any other program and is thus classified as non-repairable and should be deleted:
The file Infast.exe contains no malicious code, but it is a component file of malicious program and it is better to delete it.
We have received the following Symantec Rapid Release virus definitions rapid_updat32.exe