[virusinfo] Sophos Anti-Virus IDE alert: W32/Nackbot-D

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Mon, 05 Apr 2004 08:58:48 -0700

From; Sophos Alert System:

Name: W32/Nackbot-D
Aliases: Backdoor.Agobot.jy, W32.Randex.gen
Type: Win32 worm
Date: 5 April 2004

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2004 (3.81) release of Sophos Anti-Virus.

Enterprise Manager and PureMessage customers will be
automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of
this worm from the wild.


Information about W32/Nackbot-D can be found at:
http://www.sophos.com/virusinfo/analyses/w32nackbotd.html
Description 
W32/Nackbot-D is a peer-to-peer (P2P) worm which spreads via shared folders
and has IRC backdoor functionality. 
When run the worm copies itself to the Windows System (or System32) folder
as the file MSCLOCK.EXE. To ensure that the worm is run each time Windows is
started W32/Nackbot-D creates the registry entries: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Digital Clock = msclock.exe 

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Digital Clock = msclock.exe 

W32/Nackbot-D attempts to spread to randomly chosen IP addresses. The worm
attempts to access the C$, D$, E$ and Admin$ shares of the target computer
using a list of passwords contained within the worm. The worm then copies
itself to the Windows System (or System32) folder on the target computer as
MSCLOCK.EXE. 

W32/Nackbot-D contains backdoor components which can be controlled by a
remote attacker via IRC. The backdoor functions include the ability to
launch a distributed denial-of-service attack (DDoS). 

W32/Nackbot-D searches for the following virus, anti-virus and
security-related processes and terminates them if they are running:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ADVXDWIN.EXE
ALERTSVC.EXE
amon.exe
ANTI-TROJAN.EXE
ANTITROJAN.EXE
ANTS.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
bot.exe
CCAPP.EXE
CCEVTMGR.EXE
CCPXYSVC.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
COMMVIEW.EXE
COMMVIEW32.EXE
CONNECTIONMONITOR.EXE
CPD.EXE
CPDCLNT.EXE
dcomx.exe
DEFWATCH.EXE
DFW.EXE
drweb.exe
Drweb32w.exe
drweb386.exe
Drwebupw.exe
Drwebwcl.exe
DUMP.EXE
DUMP1.EXE
DUMPED.EXE
DUMPED1.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
EETHERCAP.EXE
EETHERCAP32.EXE
enbiei.exe
ESAFE.EXE
ESPWATCH.EXE
ETHERCAP.EXE
ETHERCAP32.EXE
EXPLORER32.EXE
F-AGNT95.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
FRW.EXE
GUARDDOG.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
index.exe
IOMON98.EXE
IRIS.EXE
JEDI.EXE
KILL.EXE
KILLER.EXE
KPF4GUI.EXE
KPF4SS.EXE
LDNETMON.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
lolx.exe
LOOKOUT.EXE
LordPE.EXE
LordPE32.EXE
LUALL.EXE
MINILOG.EXE
MOOLIVE.EXE
MPFTRAY.EXE
MSBLAST.EXE
MSCONFIG.EXE
mslaugh.exe
mspatch.exe
N32SCANW.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NDD32.EXE
NETSTAT.EXE
NETUTILS.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
nod.exe
nod32.exe
NORMIST.EXE
NPROTECT.EXE
NPSSVC.EXE
NTVDM.EXE
NUPGRADE.EXE
NVC95.EXE
NVSVC32.EXE
NWTOOL16.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
penis32.exe
PERSFW.EXE
PM.exe
POPROXY.EXE
PORTMONITOR.EXE
PRKILLER.EXE
PROCDUMP.EXE
PROCDUMP32.EXE
PS.EXE
PSKILL.EXE
PSLIST.EXE
RAV7.EXE
RAV7WIN.EXE
REGEDIT.EXE
RESCUE.EXE
root32.exe
rpc.exe
rpctest.exe
RTVSCN95.EXE
RUNDDL31.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
scvhost.exe
SERV95.EXE
SMC.EXE
SPHINX.EXE
spider.exe
Spiderml.exe
spidernt.exe
SWEEP95.EXE
SWNETSUP.EXE
SymProxySvc.exe
SYSCFG32.EXE
SYSOTRAY32.EXE
TASKKILL.EXE
TASKLIST.EXE
TASKMGR.EXE
TBSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TCPDUMP.EXE
TCPDUMP32.EXE
TDS2-98.EXE
TDS2-NT.EXE
teekids.exe
tftpd.exe
VET95.EXE
VETTRAY.EXE
VPC32.EXE
VPTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSMON.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
WINDRIVER.EXE
WINEXEC.EXE
WINHEX.EXE
WINSOCK2.2.EXE
worm.exe
WRADMIN.EXE
WRCTRL.EXE
ZAPRO.EXE
ZLCLIENT.EXE
zlclient.exe
ZONEALARM.EXE 

W32/Nackbot-D can also be used to steal the Windows Product ID and the CD
keys from several computer games including:
Half-Life
Counter-Strike
Unreal Tournament 2003
Unreal Tournament 2004
Project IGI 2
Battlefield 1942
Battlefield: Vietnam
Battlefield 1942: Road To Rome
Rainbow Six III RavenShield
Neverwinter Nights
Soldier of Fortune II - Double Helix
Need For Speed Hot Pursuit 2
FIFA 2003
Command & Conquer: Generals 
 
 
Recovery 
Please follow the instructions for removing worms. 

This IDE file also includes detection for:

W32/Sdbot-HC
http://www.sophos.com/virusinfo/analyses/w32sdbothc.html
W32/Spybot-BU
http://www.sophos.com/virusinfo/analyses/w32spybotbu.html
W32/Agobot-FQ
http://www.sophos.com/virusinfo/analyses/w32agobotfq.html
W32/Agobot-FR
http://www.sophos.com/virusinfo/analyses/w32agobotfr.html
Troj/StartPa-G
http://www.sophos.com/virusinfo/analyses/trojstartpag.html
W32/SdBot-CE
http://www.sophos.com/virusinfo/analyses/w32sdbotce.html
Dial/XXXDial-C
http://www.sophos.com/virusinfo/analyses/dialxxxdialc.html
Troj/Socks-A
http://www.sophos.com/virusinfo/analyses/trojsocksa.html
W32/Rbot-C
http://www.sophos.com/virusinfo/analyses/w32rbotc.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/nackbotd.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

---------------------------------------------------------------------
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Sophos Anti-Virus IDE alert: W32/Nackbot-D

1. Home
2. virusinfo
3. Archive
4. 04-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---