Skip navigation.
Home

ms06-040 worm analysis

|

Ok this worm is a nasty!

Its packed with something hardcore. Undetected by all the detectors I tried. Crashed my ollydbg even though I was hiding the debugger. A couple of things right off the bat:

- drops a file called wgareg.exe into c:\windows\system32
wants to connect to bniu.househot.com and ypgw.walloan.com
- it has irc botnet capabilities
- it messes with your windows firewall and genuine advantage settings as well as windows alerts.
- it definitly uses at least isdebuggerpresent to detect debugger
- looks like it also installs a service, but I don't know what yet.
- appears to edit the event logs
- I see it make a connection to 218.61.146.86 on port 18067 which is bniu.househot.com

Name: bniu.househot.com
Addresses: 218.61.146.86, 58.81.137.157, 61.163.231.115, 61.189.243.240
202.121.199.200, 211.154.135.30

More as I get it.

V.

ROT Cipher

There is a rot cipher used by the C&C.
It uses group pairs: eg gj ca ek ep... etc... Rotate 36 positions with a base 0 character set [0..9][A..Z][a..z] to hex, change hex back to ascii.

Example:

"gjcaekepejeocacdgi" = "i JOIN #h"

gj ca ek ep ej eo ca cd gi =
69 20 4a 4f 49 4e 20 23 68
-------------------------------------------
i JOIN #h

cool stuff

thanks for the info.

V.

KAV says it's packed with

KAV says it's packed with MEW.

cool

I saw MEW somewhere in the disassembly so that makes sense.

thanks

V.

PEiD

Val, it identified the first time for me in PEiD. I was scanning in Hardcore mode.

Crashed Debugger?

> Crashed my ollydbg even though I was hiding the debugger.

What exactly did you do to "hide" the debugger?

Even if you use the plugin that claim to hide the debugger, the debugger process & binary have properties (processmodules, strings etc) which malware can read and determine if there is a debugger present or not.

Try using CreateProcess() with CREATE_SUSPENDED flag to get something harmless that the debugger could step through.

OllyDbg has a hide debugger

OllyDbg has a hide debugger module that mucks with the TEB to avoid the IsDebuggerPresent() check.

using create_suspended for analysis

Can anyone post some pointers to this method (mentioned by Ichinin)? I understand the concept but am having trouble with actually doing it - would ideally like a tutorial/walkthrough on how to actually use it for analysis

thanks

ClamAV detection

As of [Clamav-virusdb] Update (daily: 1654), 2006-08-13 05:42 -600, 9928a1e6601cf00d0b7826d13fb556f0 is detected as: Trojan.IRCBot-689

IRC-MOCBOT Worm

I am new to the list and I am in need of the actual worm for the irc mocbot worm. I have to test the affects in a VM to see if I can replicate some issues we are having on our lab systems. I have looked through the site and cannot find the wgareg.exe, can someone point me in the right direction.

Thank you