Backdoor.K0wbot Analysis

Virus analyzed by:

Bogdan Dragu

BitDefender Virus Researcher

http://www.bitdefender.com

HNS Note: BitDefender released Anti K0wbot program that finds and removes this virus. Our mirrored copy can be downloaded from here:

Name: Backdoor.K0wbot.1.2 / 1.3.A / 1.3.B

Aliases: W32.Kwbot.Worm

Type: Worm & Backdoor

Size: ~19 KB

Discovered: 17-26 June 2002

Detected: 17-26 June 2002 (GMT+2)

Spreading: High

Damage: Low

ITW: Yes

Symptoms:

– the file explorer32.exe in the Windows System folder;

– the “Windows Explorer Update Build 1142” registry entries in the registry keys HKLMSoftwareMicrosoftWindowsCurrentVersionRun and HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices; the value of the entries is “explorer32”;

– a lot of copies of the virus (with different names, but all aprox. 19 KB in size) in the KaZaA shared folder – usually “C:Program FilesKaZaAMy Shared Folder”.

Technical description:

This is another Internet worm that uses the popular file sharing KaZaA network to spread; besides this, it includes an IRC remote control backdoor component. It is written in C and the executable is compressed and crypted; it also uses some protection techniques to make reverse-engineering difficult.

When run, the virus copies itself as explorer32.exe in the Windows System folder and registers this copy to be run at every Windows start-up by creating the registry entries described above.

The virus creates a temporary file (c:moo.reg) that is used to set the value of the registry entry HKEY_CURRENT_USERSoftwareKazaaLocalContentDisableSharing to 0 (in order to enable sharing of KaZaA files). The virus makes aprox. 150 copies of itself in the KaZaA shared folder, using the names of appealing software/media files:

The backdoor component connects to an IRC (Internet Relay Chat) server and allows remote control of the infected computer (after a password authentification), including the ability to perform the following actions on the “victim” computer:

– updating the virus by downloading a newer version;

– reporting information about the infected system (CPU speed, memory, operating system version, uptime, Internet connection type, local IP address etc.);

– reporting installed software (by sending the file c:moo.txt which lists the subfolders of the Program Files folder);

– performing different IRC commands, including flooding of other users of the chat server.

Manual Removal:

Remove (using REGEDIT) the registry entries described in the Symptoms section and delete the file “explorer32.exe” in the Windows System folder, then restart the computer. You should also delete all the copies of the virus in the KaZaA shared folder.

Don't miss