W32.Linkbot

Printer Friendly Page

Discovered: December 08, 2005
Updated: July 06, 2012 3:06:23 AM
Also Known As: Troj/VBInj-AV [Sophos], Troj/VB-FSQ [Sophos], Troj/Agent-WXU [Sophos]
Type: Worm
Infection Length: Varies
Systems Affected: Windows
CVE References: CVE-2003-0533

W32.Linkbot is a worm that exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108 ) in order to propagate. The worm may also attempt to spread through Microsoft instant messaging clients. It also opens a back door on the compromised computer accessible through IRC.

Once installed, the worm will drop a batch file to delete the originally executed file and also the batch file itself. It then attempts to connect to a predetermined address of an IRC server on a random TCP port and also opens a back door through TCP port 113 to receive instructions from a remote attacker.

The back door may allow the remote attacker to perform a range of activities such as downloading and executing additional files and collecting information from the compromised computer.

Antivirus Protection Dates

  • Initial Rapid Release version December 08, 2005
  • Latest Rapid Release version April 15, 2019 revision 019
  • Initial Daily Certified version December 08, 2005
  • Latest Daily Certified version April 15, 2019 revision 020
  • Initial Weekly Certified release date December 14, 2005

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Hon Lau and Stephen Doherty

Discovered: December 08, 2005
Updated: July 06, 2012 3:06:23 AM
Also Known As: Troj/VBInj-AV [Sophos], Troj/VB-FSQ [Sophos], Troj/Agent-WXU [Sophos]
Type: Worm
Infection Length: Varies
Systems Affected: Windows
CVE References: CVE-2003-0533

W32.Linkbot is a worm that exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108 ) in order to propagate. The worm may also attempt to spread through Microsoft instant messaging clients. It also opens a back door on the compromised computer accessible through IRC.


Background information
As the name suggests, the purpose of this worm is to covertly establish a network of "bots" in a so called botnet. Botnets are a distributed network of computers that are under the control of another user. They are valuable assets in the criminal underworld as they can be put to work directly by the owner. Like tangible assets, botnets can be rented out or sold for virtually any purpose required by the bot controller (bot herder). The size of a botnet will determine its value and capabilities in terms of impact and available processing power. This is classical distributed computing but only used for malicious intent.

Contrast this with traditional and benign distributed computing network projects such as SETI@home and Folding@home, which are generally designed to harvest unused CPU cycles during normal computer idle times. These programs are designed to help achieve scientific or altruistic goals with the explicit authorization of the owner of the computer involved. Botnet controllers seek no such authorizations to use any computer that it can gain control of.


How does the worm spread?
In order to become incorporated into the botnet, a computer must have executed the worm. The worm uses a couple of methods to spread. Firstly the back door provides a mechanism from which a remote controller can instruct the worm to copy itself to all network shares accessible from the compromised computer.

Secondly the worm may also attempt to contact and spread to computers using the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108 ). This is a remotely exploitable vulnerability, so any vulnerable computers contactable by a compromised computer can itself potentially become infected by this worm without any intervention by an end user.

The worm may also check to see if any Microsoft instant messaging clients are running (such as Windows Live Messenger, MSN Messenger, and Windows Messenger). If it is, the worm sends a copy of itself to all contacts listed in the client.


Who creates this worm?
In the early days of computer viruses, malware was generally created for no purpose other than to cause disruption and nuisance to those affected. Worms in the late nineties and early 2000s generally spread from computer to computer at a rapid rate. It caused disruption by overwhelming the limited bandwidth, storage, and processing power available leaving the user unable to use their computing resources.

Modern malware is created for various purposes but is primarily driven by profit. A botnet is a valuable asset to have in the criminal underworld as it is akin to having a private army available to carry out any purpose required by its owner. The value of a botnet is proportional to its size, reliability and capability. Therefore the aim of the bot creators is to create a worm that can spread the worm far and wide but do so in a relatively controlled manner so that alarms are not raised.


What can this worm do?
This worm is designed to spread through computer networks and also establish a botnet by opening a back door for remote access and control. The back door is started by opening TCP port 113 to listen for remote connections. It may also directly connect to a predetermined address on a high TCP port (e.g. 10500) to establish an IRC connection in order to receive instructions.

In terms of functionality, the back door can allow a remote attacker to perform any of the following activities:

  • Conduct port scans
  • Copy itself to network shares
  • Download and execute files
  • End running processes
  • End threads
  • Flush the DNS
  • Gather system information
  • Manipulate the file system
  • Measure connection speed
  • Send bot uptime information
  • Send Exploit Statistics
  • Send IP address
  • Start socket server
  • Steal passwords
  • Switch on/off debug mode
  • Switch on/off stack trace mode
  • Update or uninstall the bot

The worm also attempts to determine whether any malware analysis tools are being used. It does this by searching for the following processes:
  • ethereal.exe
  • ettercap.exe
  • joeboxcontrol.exe
  • joeboxserver.exe
  • netstat.exe
  • sniff_hit.exe
  • snoop.exe
  • sysAnalyzer.exe
  • tcpdump.exe
  • tcpview.exe
  • windump.exe
  • wireshark.exe

It also searches for the following modules:
  • api_log.dll
  • dir_watch.dll
  • SbieDll.dll

The worm also attempts to determine whether it is being run in a test environment by checking the following items:
  • Checks whether the sample is being executed from the C:\InsideTM folder
  • Checks if the current username is user, username, or currentuser

Depending on which analysis component is found W32.Linkbot can self delete and cause the watcher malicious thread to execute and infinite loop and hog CPU cycles or "Lay Low" and stop outbound communications.

The worm may also perform the following actions on the compromised computer:
  • Check that the malicious threads injected properly
  • Check whether the Dnsapi.dll file is missing
  • Check whether a DNS lookup of google.com is successful
  • Determine whether an Apache Webserver is installed on the computer
  • Determine whether the host operating system is Windows Vista/7/2008


Why would a worm use IRC?
Relaying the commands through an IRC server provides the attacker with a level of anonymity not as easily obtained by connecting directly to the threat’s back door. IRC also allows an attacker to control a large number of computers as a botnet. Since each threat compromised by a particular worm logs into a predetermined IRC channel, an attacker can then send a command to the channel, and on to all the computers in the botnet.


Are there any tell-tale signs?
Threats that open back doors are often designed to act in a covert manner. However W32.Linkbot variants are known to create side effects of the following nature on compromised computers.

It may create the following files:
  • %System%\defragfat32z.exe
  • %System%\defragfat32.exe
  • %System%\defragfat32x.exe
  • %UserProfile%\Application Data\algs.exe
  • %UserProfile%\Application Data\als.exe
  • %UserProfile%\Application Data\AppMgmt.exe
  • %UserProfile%\Application Data\AudioSrv.exe
  • %UserProfile%\Application Data\bits.exe
  • %UserProfile%\Application Data\csrss.exe
  • %UserProfile%\Application Data\dns.exe
  • %UserProfile%\Application Data\dnscache.exe
  • %UserProfile%\Application Data\EventLog.exe
  • %UserProfile%\Application Data\explorer.exe
  • %UserProfile%\Application Data\firewall.exe
  • %UserProfile%\Application Data\LmHosts.exe
  • %UserProfile%\Application Data\logon.exe
  • %UserProfile%\Application Data\lsass.exe
  • %UserProfile%\Application Data\msdtc.exe
  • %UserProfile%\Application Data\ntds.exe
  • %UserProfile%\Application Data\NTLMSSP.exe
  • %UserProfile%\Application Data\PlugPlay.exe
  • %UserProfile%\Application Data\rpcss.exe
  • %UserProfile%\Application Data\SecLogon.exe
  • %UserProfile%\Application Data\spooler.exe
  • %UserProfile%\Application Data\spoolsv.exe
  • %UserProfile%\Application Data\W32Time.exe
  • %UserProfile%\Application Data\winamp.exe
  • %UserProfile%\Application Data\winlogon.exe
  • %UserProfile%\Application Data\WLANSvc.exe
  • %UserProfile%\Application Data\WUAUServ.exe

The worm may create the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[SUBKEY VALUE]" = "%UserProfile%\Application Data\[FILE NAME]"

It may also create the following registry entries in order to add itself to the list of applications authorized by the Windows firewall:
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%Windir%\Explorer.EXE" = "%Windir%\Explorer.EXE:*:Enabled:[SUBKEY VALUE]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%Windir%\Explorer.EXE" = "%Windir%\Explorer.EXE:*:Enabled:[SUBKEY VALUE]"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[PROCESS PATH]" = "[PROCESS]:*:Enabled:[SUBKEY VALUE]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[PROCESS PATH]" = "[PROCESS]:*:Enabled:[SUBKEY VALUE]"

Where [SUBKEY VALUE] is chosen from the following list:
  • Active Directory Service
  • Application Layer Gateway service
  • Application Layer Gateway Service
  • Application Management
  • Background Intelligent Transfer Service
  • Client Server Runtime Process
  • Distributed Transaction Coordinator
  • DNS Client and Server
  • DNS Client and Server
  • Event Log
  • Local Security Authority Service
  • MSRPC
  • NTLM Security Support Provider
  • Plug and Play
  • Print Spooler
  • Secondary Logon (Run As...)
  • Spooler SubSystem App
  • TCP/IP NetBIOS Helper
  • Winamp Agent
  • Windows Audio
  • Windows Explorer
  • Windows Logon Application
  • Windows Logon Application
  • Windows Network Firewall
  • Windows Time
  • Windows Update
  • Wireless Zero Configuration WZCSvc (XP)

And where [PROCESS] is a currently running process, which W32.Linkbot chooses to inject its second malicious thread into. The primary thread having been injected into the legitimate explorer.exe process.

The batch file that it drops and executes may be named abcdabcd.bat or some other random file name.

It may also open network connections on the following TCP ports:
  • 113
  • 1040
  • 10324
  • 10500
  • 6667

The specific details may vary from one variant to the next.


What are the risks?
While W32.LInkbot has been in existence since 2004, Symantec still currently observes low levels of this threat in the wild, so a small risk of infection still persists. In terms of infection risks, this threat can spread through network shares and also any computers that are not patched for the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108 ).

Since the threat opens a back door on the computer, the threat may allow the attacker to perform a range of activities including the downloading of additional files. The risks posed by any downloaded file is unknown but open ended.


What can I do to minimize the risks?
As a general rule, users should always run up-to-date antivirus software with real-time protection such as Norton Antivirus, Norton Internet Security, Norton 360 or Symantec Endpoint Protection . In addition, a firewall -- or better still, an Intrusion Prevention System (IPS) -- will help to block download activities initiated by these types of malicious programs. Program controls such as those found in Symantec Endpoint Protection can also help to prevent programs such as these from executing in the first place.

In addition, computers should be patched for the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108 ) to prevent remote exploitation and also use strong passwords to protect network shares.


How can I find out more?
Advanced users can submit a sample to Threat Expert to obtain a detailed report of the system and file system changes caused by a threat.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Hon Lau and Stephen Doherty

Discovered: December 08, 2005
Updated: July 06, 2012 3:06:23 AM
Also Known As: Troj/VBInj-AV [Sophos], Troj/VB-FSQ [Sophos], Troj/Agent-WXU [Sophos]
Type: Worm
Infection Length: Varies
Systems Affected: Windows
CVE References: CVE-2003-0533

You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.



FOR NORTON USERS
If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool


If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.


FOR BUSINESS USERS
If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.


Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network



MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product


2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Hon Lau and Stephen Doherty