ms06-040 worm analysis
Ok this worm is a nasty!
Its packed with something hardcore. Undetected by all the detectors I tried. Crashed my ollydbg even though I was hiding the debugger. A couple of things right off the bat:
- drops a file called wgareg.exe into c:\windows\system32
wants to connect to bniu.househot.com and ypgw.walloan.com
- it has irc botnet capabilities
- it messes with your windows firewall and genuine advantage settings as well as windows alerts.
- it definitly uses at least isdebuggerpresent to detect debugger
- looks like it also installs a service, but I don't know what yet.
- appears to edit the event logs
- I see it make a connection to 220.127.116.11 on port 18067 which is bniu.househot.com
Addresses: 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52
More as I get it.