ms06-040 worm analysis
Ok this worm is a nasty!
Its packed with something hardcore. Undetected by all the detectors I tried. Crashed my ollydbg even though I was hiding the debugger. A couple of things right off the bat:
- drops a file called wgareg.exe into c:\windows\system32
wants to connect to bniu.househot.com and ypgw.walloan.com
- it has irc botnet capabilities
- it messes with your windows firewall and genuine advantage settings as well as windows alerts.
- it definitly uses at least isdebuggerpresent to detect debugger
- looks like it also installs a service, but I don't know what yet.
- appears to edit the event logs
- I see it make a connection to 126.96.36.199 on port 18067 which is bniu.househot.com
Addresses: 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168
More as I get it.