W32.Wargbot

Printer Friendly Page

Discovered: August 13, 2006
Updated: August 13, 2006 2:55:51 PM
Also Known As: WORM_IRCBOT.JK [Trend], WORM_IRCBOT.JL [Trend], IRC-Mocbot!MS06-040 [McAfee], IRCBot.st [F-Secure], Win32/Cuebot.J [Computer Associates], W32/Cuebot-L [Sophos], CME-482 [Common Malware Enumeration], CME-762 [Common Malware Enumeration], W32/Opanki-DD [Sophos]
Systems Affected: Windows
CVE References: CVE-2006-3439

W32.Wargbot is a worm with back door capabilities that exploits the Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409). The worm may attempt to download a copy of Backdoor.Ranky.X (MCID 8520).

Antivirus Protection Dates

  • Initial Rapid Release version August 13, 2006
  • Latest Rapid Release version May 07, 2019 revision 006
  • Initial Daily Certified version August 13, 2006
  • Latest Daily Certified version May 07, 2019 revision 008
  • Initial Weekly Certified release date August 16, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.


Technical Description

W32.Wargbot is a worm with back door capabilities that exploits the Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409). The worm may attempt to download a copy of Backdoor.Ranky.X (MCID 8520).

When the worm executes, it copies itself as the following file:
%System%\wgareg.exe

The worm creates a service with the following characteristics:
Display Name: Windows Genuine Advantage Registration Service
Image Path: %System%\wgareg.exe

The worm also creates the following registry subkey associated with the above service:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wgareg

The worm then modifies the following registry entries to disable DCOM:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\"enabledcom" = "n"

The worm also modifies the following registry entries in order to lower security settings:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"restrictanonymous" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"restrictanonymoussam" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lanmanserver\parameters\"autoshareserver" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lanmanserver\parameters\"autosharewks" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"antivirusdisablenotify" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"antivirusoverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"firewalldisablenotify" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"firewalldisableoverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\"enablefirewall" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\"enablefirewall" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\"Start" = "4"

Next, the worm injects a program into the following process in order to delete the original worm file:
explorer.exe

The worm then creates the following file:
%Windir%\debug\dcpromo.log

The worm then opens a back door on the compromised computer by connecting to the following IRC domains on TCP port 18067:
bniu.househot.com
ypgw.wallloan.com

Then the worm listens for commands, which may allow a remote attacker to perform some of the following actions on the compromised computer:
Launch denial of service attacks
Scan IP addresses to find computers to attack
Download and execute remote files
Send a message using AOL Instant Messenger (if it's running)
Remotely run the command prompt shell, which allows the attacker to run any command

The worm may receive commands to download a file from http://media.pixpond.com/l9rd6g.jpg. The downloaded file is a copy of Backdoor.Ranky.X, which listens for commands from a remote attacker on a random port and sends the IP address of the compromised computer to a server on the yu.haxx.biz domain.

The worm attempts to spread by exploiting the Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409) once it receives the appropriate command. The exploit code affects computers using the Windows 2000 operating system..