Last Updated: 2006-08-13 17:57:47 UTC
by Swa Frantzen (Version: 7)
We have multiple independent sources of reports at this time.
It looks like it's building a botnet (as we expected).
Signs defenders should look for:
- Filename: wgareg.exe, MD5: 9928a1e6601cf00d0b7826d13fb556f0 (this is the bot)
- Incoming traffic on 445/TCP but there is a lot of background noise on that port.
- Snort signatures firing on:
- BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) [Bleedingsnort]
- NETBIOS SMB-DS srvsvc NetrPathCanonicalize little endian overflow attempt [Sourcefire VRT]
- Outgoing traffic to bniu.househot.com:18067 (Command and Control center, multiple IPs, IRC)
- Outgoing traffic to ypgw.wallloan.com:18067 [we haven't seen those ourselves but do have multiple independent sources confirming it]
- Outgoing traffic to port 445/TCP (scanning for victims and exploiting them)
Please do not ask for samples at this point.
We have shared it with the usual anti-virus vendors already.
Should you find other activity of these bots or differing MD5, we would very much appreciate a copy at the contact page.
We ran the bot through virustotal:
Scan resultswgareg.exe messes in the windows registry. One of the things it adds is a description of itself: "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.". Right ... It also appears to change settings related to firewalls and sharing.
Date: 08/13/2006 03:03:43 (CET)
AntiVir 126.96.36.199/20060812 found [HEUR/Crypted.Layered]
Authentium 4.93.8/20060812 found [Possibly a new variant of W32/Threat-HLLIM-based!Maximus]
Avast 4.7.844.0/20060810 found nothing
AVG 386/20060811 found nothing
BitDefender 7.2/20060813 found [Generic.Malware.IXdld.658BDD6B]
CAT-QuickHeal 8.00/20060812 found [(Suspicious) - DNAScan]
ClamAV devel-20060426/20060813 found nothing
DrWeb 4.33/20060812 found nothing
eTrust-InoculateIT 23.72.94/20060812 found nothing
eTrust-Vet 30.3.3012/20060811 found nothing
Ewido 4.0/20060812 found nothing
Fortinet 188.8.131.52/20060812 found nothing
F-Prot 3.16f/20060811 found [Possibly a new variant of W32/Threat-HLLIM-based!Maximus]
F-Prot4 184.108.40.206/20060811 found [W32/Threat-HLLIM-based!Maximus]
Ikarus 0.2.65.0/20060811 found nothing
Kaspersky 220.127.116.11/20060813 found nothing
McAfee 4827/20060811 found nothing
Microsoft 1.1508/20060804 found nothing
NOD32v2 1.1704/20060811 found [a variant of Win32/IRCBot.OO]
Norman 5.90.23/20060811 found [W32/Suspicious_M.gen]
Panda 18.104.22.168/20060812 found [Suspicious file]
Sophos 4.08.0/20060812 found nothing
Symantec 8.0/20060813 found nothing
TheHacker 22.214.171.124/20060810 found nothing
UNA 1.83/20060811 found nothing
VBA32 3.11.0/20060811 found nothing
VirusBuster 4.3.7:9/20060812 found nothing
LURHQ has also a story on the same by Joe Stewart and they also found a variant of the binary with a different MD5 and slightly different behaviour.
Thanks to all involved: William, Jim, Scott, Dan and all those I forgot.
Swa Frantzen -- Section 66