1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP W32 Medbot Activity

HTTP W32 Medbot Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature

Additional Information

When W32.Medbot.A is executed, it does the following:

1. Attempts to end the following services related to antivirus and firewall programs:
* kavsvc
* KAVPersonal50
* nava
* SAVScan
* Symantec Core LC
* wscsvc
* wuauserv

2. Creates a new instance of svchost.exe and injects its code into the new process in order to cover its actions under a different program.

3. Creates the following Mutexes to ensure that only one copy of the threat is active:

* 89535C57-C44B-2D4F-E605-5B4B11F4B0C9
* 8C7EB0FA-72F6-1757-7BBC-E5C508D95393
* 2B35434A-B737-5409-6305-9E6778474B32

4. Deletes the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50

5. Adds the value:

"%System%\svchost.exe" = "%System%\svchost.exe:*:Enabled:Microsoft Update"

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List

so that the worm can bypass Windows Firewall.

6. Adds the values:

"Hash" = "[HASH_VALUE]"
"Pid[NUMBER]" = "[HEX_VALUE]"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\PModule

7. Checks for SMTP connectivity on TCP port 25 by attempting to contact the following hosts:
* hotmail.com
* gmail.com
* yahoo.com
* aol.com
* nestcape.com
* pop.rizalof.com

8. Downloads a list of URLs from the following location:

[http://]seek[NUMBERS].zootseek.com

9. The list of URLs contains instructions about the spam message to send and the list of mail addresses and domains to use. The lists will be downloaded and saved as the following files:

* %Temp%\lnames.txt.cab
* %Temp%\fnames.txt.cab
* %Temp%\domanis.txt.cab

10. Searches hard drives on the compromised computers for email addresses in files with the following extensions:

* txt
* tbb
* wab~
* wab
* doc
* xls
* htm
* xml
* db
* pdf
* xsl
* php
* html
* bak
* tbi
* dbx
* tmp
* sql
* ini
* rtf
* eml
* hta
* wri
* fpt

11. Sends the harvested email addresses in small encrypted packets of approximately 1,300 bytes through UDP port 7975 to the following location:

news.medbot.com

12. Opens a back door and allows a remote attacker to have unauthorized access to the compromised computer and works as relay proxy to send spam by connecting to one of the following IRC servers on TCP port 80:

* rv.rozenan.com
* sys.medarun.com
* in.lorenim.com

13. May contact one of the following remote hosts:

* 216.109.127.60
* 216.255.189.85

14. May download other threats, such as Trojan.Horst and Trojan.Lootseek.AV, from one of these locations:

* [http://]up.medbod.com/up/au[REMOVED]
* [http://]up.medbod.com/up/se[REMOVED]

Affected

  • Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube