Content

W32/Nirbot.worm!83E1220A

Type
Internet Worm
SubType
Internet Relay Chat Worm
Discovery Date
04/16/2007
Length
199,680 bytes
Minimum DAT
5011 (04/17/2007)
Updated DAT
5053 (06/14/2007)
Minimum Engine
5.1.00
Description Added
04/16/2007
Description Modified
04/16/2007 10:25 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update April 16, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/2061-10789_3-6176593.html


This variant of the W32/Nirbot.worm.gen will also try to exploit the Microsoft DNS Server Service RPC vulnerability on DNS Server (CVE-2007-1748). More information regarding this vulnerability can be found at:

According our research, this bot is using the following commands to acquire information of RPC enabled hosts:
.scan.stop -s;.scan.start DNS 25 -s;
.scan.start DNS 25 -a -s;
.scan.start DNS x.x.x.x 25 -s;

Additional variants are being discovered to be exploit the Microsoft DNS Server Service RPC vulnerability. They may have the following filename(s):

  • mozila.exe (W32/Nirbot.worm!RpcDns)
  • mdnex.exe (W32/Nirbot.worm!83E1220A)

When the exploit is successful, it may download a copy of the worm into C:\U.exe from a HTTP server hosted on a random port on the attacking host.

This bot attempts to contact its command and control channel at the following IRC server(s) on TCP port 8080:

  • {blocked}.rofflewaffles.us
  • {blocked}.anti-viral.us
  • {blocked}.wayne.brady.gonna.have.to.chokeabitch.us

It also contacts the following URL(s) for further downloads:

  • hxxp://209.97.218.21/{blocked}/mdnex.exe
  • hxxp://209.97.218.21/{blocked}/mozila.exe
  • hxxp://www.tgi{blocked}.com/radi.exe

This is a variant of W32/Nirbot.worm.gen . Additional characteristics regarding this bot can be found here. Future variants may be detected as W32/Nirbot.worm!RpcDns.

 

Symptoms

  • Presence of the files mentioned.
  • Unusual network activity, specifically IRC traffic.
  • Unexpected internal HTTP traffic over non-standard ports.
  • Unusual DNS queries. Some variants have been observer sending DNS quesries for various non existant domains to verify the connection to a real DNS server to prevent research in simulated environment.

Method of Infection

This W32/Nirbot.worm variant scans for vulnerable machines on the network, and uses the same vulberabilities as W32/Nibot.worm.gen plus the new RPC vulnerability.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Nirbot.worm!83E1220A is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware, distribute illegal content or launch a DDos attack on internet systems. This is a variant of W32/Nirbot.worm.gen . For more information regarding this bot you can get here

Characteristics

Characteristics -

-- Update April 16, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/2061-10789_3-6176593.html


This variant of the W32/Nirbot.worm.gen will also try to exploit the Microsoft DNS Server Service RPC vulnerability on DNS Server (CVE-2007-1748). More information regarding this vulnerability can be found at:

According our research, this bot is using the following commands to acquire information of RPC enabled hosts:
.scan.stop -s;.scan.start DNS 25 -s;
.scan.start DNS 25 -a -s;
.scan.start DNS x.x.x.x 25 -s;

Additional variants are being discovered to be exploit the Microsoft DNS Server Service RPC vulnerability. They may have the following filename(s):

  • mozila.exe (W32/Nirbot.worm!RpcDns)
  • mdnex.exe (W32/Nirbot.worm!83E1220A)

When the exploit is successful, it may download a copy of the worm into C:\U.exe from a HTTP server hosted on a random port on the attacking host.

This bot attempts to contact its command and control channel at the following IRC server(s) on TCP port 8080:

  • {blocked}.rofflewaffles.us
  • {blocked}.anti-viral.us
  • {blocked}.wayne.brady.gonna.have.to.chokeabitch.us

It also contacts the following URL(s) for further downloads:

  • hxxp://209.97.218.21/{blocked}/mdnex.exe
  • hxxp://209.97.218.21/{blocked}/mozila.exe
  • hxxp://www.tgi{blocked}.com/radi.exe

This is a variant of W32/Nirbot.worm.gen . Additional characteristics regarding this bot can be found here. Future variants may be detected as W32/Nirbot.worm!RpcDns.

 

Symptoms

Symptoms -

  • Presence of the files mentioned.
  • Unusual network activity, specifically IRC traffic.
  • Unexpected internal HTTP traffic over non-standard ports.
  • Unusual DNS queries. Some variants have been observer sending DNS quesries for various non existant domains to verify the connection to a real DNS server to prevent research in simulated environment.

Method of Infection

Method of Infection -

This W32/Nirbot.worm variant scans for vulnerable machines on the network, and uses the same vulberabilities as W32/Nibot.worm.gen plus the new RPC vulnerability.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A