W32.Loxbot.D

Printer Friendly Page

Discovered: January 06, 2006
Updated: January 06, 2006 6:51:49 AM
Systems Affected: Windows

W32.Loxbot.D is a worm that opens a back door on the compromised computer allowing a remote attacker to issue various commands and spreads using AOL Instant Messenger. The worm also uses rootkit capabilities to hide its process in memory.

Discovered: January 06, 2006
Updated: January 06, 2006 6:51:49 AM
Systems Affected: Windows

W32.Loxbot.D is a worm that opens a back door on the compromised computer allowing a remote attacker to issue various commands and spreads using AOL Instant Messenger. The worm also uses rootkit capabilities to hide its process in memory.

When the worm is executed, it copies itself as %System%\lockbar.exe.

The worm then creates the following registry entries so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"freexstyle" = "lockbar.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"freexstyle" = "lockbar.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"freexstyle" = "lockbar.exe"

The worm modifies the following registry entry to disable the Windows' Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"EnableFirewall" = "0"

The worm then drops and executes the file C:\xz.bat to disable the following services:
Windows Security Center
SharedAccess
Windows Firewall/Internet Connection Sharing (ICS)

The worm installs the following driver:
%System%\msdirectx.sys (Hacktool.Rootkit)

For the driver, the worm creates a service with the following properties:
Service Name: msdirectx
Display Name: msdirectx

The worm then opens a back door and contacts the IRC server irc.q8devils.com through TCP port 1751 allowing a remote attacker to perform any of the following actions:
Disconnect or reconnect to the server
Download and execute files
Flush DNS cache
Generate a new random nickname
Update itself with a new version of the worm

The worm sends a link that contains a copy of the worm to all the online AOL Instant Messenger contacts on the compromised computer.