W32.HLLW.Acebo

Printer Friendly Page

Discovered: March 06, 2002
Updated: March 15, 2002 8:01:39 PM
Systems Affected: Windows

W32.HLLW.Acebo is a distributed denial of service (DDoS) agent that receives its commands through Internet Relay Chat (IRC). The agent will also accept commands that allow it to function as a back door server.

Acebot propagates through open NetBIOS shares by copying itself to the Startup folder of the Windows Start Menu on the shared drive. This way, the file is executed the next time Windows is started.

Discovered: March 06, 2002
Updated: March 15, 2002 8:01:39 PM
Systems Affected: Windows

W32.HLLW.Acebo is a distributed denial of service (DDoS) agent that also allows the remote attacker back door access to the compromised system. It uses its own Internet Relay Chat (IRC) client as a communications channel. Compromised systems will connect to the IRC channel #acebots on irc.dalnet.com and wait for commands.

The agent also has worm capabilities in order to propagate through open file shares. The agent will scan for any open NetBIOS shares and attempt to copy its executable file to the share. It will also map the open share to drive W on the originating system. It will then copy the installation program to W:\WINDOWS\Start Menu\Programs\StartUp\ so that it is executed the next time Windows is started. The propagation will only work if the shared drive that Acebot is copied to is the drive that Windows is installed on. If a drive W already exists on the originating system, this will also cause the propagation to fail.

When Acebo's executable file is run, it first checks for the presence of the file C:\logging.ini. If this file is present, it indicates that the system has already been compromised and will set an already infected flag in the program. This appears to cause some of the logging behaviour to be bypassed.

Once the agent is installed on the system, it will join the #acebots channel on irc.dalnet.com. The controller of the DDoS network can then issue commands to the compromised system through any IRC client. Some of the commands are as follows:
:!ping - allows the remote user to ping a specified IP address from the compromised system.

:!udp - launches a UDP-based DDoS attack against the specified IP address.

:!igmp - launches an IGMP-based DDoS attack against the specified IP address.

:!stop - stops the DDoS attack.

:!run - executes a specified file on the remote system.

:!passwords - used to retrieve RAS and Dial-up login credentials from the compromised system and report this information to the IRC server in the following format:
ISP: [ISP Name], User: [Username], Password: [Password], Phone: [Phone number]

:!download - downloads a specified file to the compromised system.

:!sleep - puts the DDoS agent to sleep for a specified number of seconds. This can also be used to pause an attack.

:!update - can be used to update the DDoS agent remotely.

:!logoff - used to force the currently logged on user on the compromised system to logoff.

:!reboot - used to force the compromised system to reboot.

:!shutdown - forces the compromised system to shutdown.

:!version - displays the version of the Acebot agent to the remote user.

Several log files are also created when the agent is installed. First, the agent creates the directory C:\Logs, then creates the following files in that directory (the purpose of some of the log files has not yet been determined):
infections.log - contains a list of machines infected over NetBIOS
IPReport.log
IPs.log - contains a list of systems connected to the #acebots IRC channel
msse.ini
recived.log
Scan.log
servmsg.log - contains messages sent to the Acebot agent from the IRC server
Socket.abc
Misc.log - contains ident requests sent to the Acebot agent

In order to execute itself on Windows startup, the agent creates entries in different startup locations:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Diagnostic = "C:\WINNT\System32\<random characters>.exe"

C:\WINDOWS\Start Menu\Programs\StartUp\<random characters>.exe

Acebo also kills the processes of the following personal firewalls:
Sygate Personal Firewall
Tiny Personal Firewall
ZoneAlarm Pro
ZoneAlarm