Skip navigation.

ms06-040 worm analysis


Ok this worm is a nasty!

Its packed with something hardcore. Undetected by all the detectors I tried. Crashed my ollydbg even though I was hiding the debugger. A couple of things right off the bat:

- drops a file called wgareg.exe into c:\windows\system32
wants to connect to and
- it has irc botnet capabilities
- it messes with your windows firewall and genuine advantage settings as well as windows alerts.
- it definitly uses at least isdebuggerpresent to detect debugger
- looks like it also installs a service, but I don't know what yet.
- appears to edit the event logs
- I see it make a connection to on port 18067 which is


More as I get it.


ROT Cipher

There is a rot cipher used by the C&C.
It uses group pairs: eg gj ca ek ep... etc... Rotate 36 positions with a base 0 character set [0..9][A..Z][a..z] to hex, change hex back to ascii.


"gjcaekepejeocacdgi" = "i JOIN #h"

gj ca ek ep ej eo ca cd gi =
69 20 4a 4f 49 4e 20 23 68
i JOIN #h

cool stuff

thanks for the info.


KAV says it's packed with

KAV says it's packed with MEW.


I saw MEW somewhere in the disassembly so that makes sense.




Val, it identified the first time for me in PEiD. I was scanning in Hardcore mode.

Crashed Debugger?

> Crashed my ollydbg even though I was hiding the debugger.

What exactly did you do to "hide" the debugger?

Even if you use the plugin that claim to hide the debugger, the debugger process & binary have properties (processmodules, strings etc) which malware can read and determine if there is a debugger present or not.

Try using CreateProcess() with CREATE_SUSPENDED flag to get something harmless that the debugger could step through.

OllyDbg has a hide debugger

OllyDbg has a hide debugger module that mucks with the TEB to avoid the IsDebuggerPresent() check.

using create_suspended for analysis

Can anyone post some pointers to this method (mentioned by Ichinin)? I understand the concept but am having trouble with actually doing it - would ideally like a tutorial/walkthrough on how to actually use it for analysis


ClamAV detection

As of [Clamav-virusdb] Update (daily: 1654), 2006-08-13 05:42 -600, 9928a1e6601cf00d0b7826d13fb556f0 is detected as: Trojan.IRCBot-689


I am new to the list and I am in need of the actual worm for the irc mocbot worm. I have to test the affects in a VM to see if I can replicate some issues we are having on our lab systems. I have looked through the site and cannot find the wgareg.exe, can someone point me in the right direction.

Thank you