Virus Detail

Win32.Lioten.FA

Date Published:
23 Jun 2004

Last Updated:
27 Oct 2004

Threat Assessment

Overall Risk: Low

Wild: Low

Destructiveness: High

Pervasiveness: Medium

Characteristics

Type : Worm

Category : Win32

Also known as: W32.Randex.gen (Symantec), W32/Sdbot!8D41 (Wildlist), IRC/SdBot.AJZ (Eset), Backdoor.SdBot.kp (Kaspersky), Backdoor/SDBot.Server.Variant, Troj/Sdbot-RD (Sophos), W32/Spybot.worm.gen.a (McAfee)

Immediate Protection Info

Signature	Product	Removal Instructions
23.65.46	eTrust Antivirus v7/8* (InoculateIT Engine)	View
11.x/8405	eTrust Antivirus v7/8* (Vet Engine)	View
6.1x/5543	eTrust EZ Antivirus 6.1x	View
6.2x/8405	eTrust EZ Antivirus 6.2x	View
10.5x/5543	Vet Anti-Virus 10.5x	View
10.6x/8405	Vet Anti-Virus 10.6x	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Method of Infection

Method of Distribution

Payload

Description

Win32.Lioten.FA is a worm that spreads via network shares.

Method of Infection

When run, Lioten.FA copies itself to the System folder as msprmf32.exe.

Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

The worm adds the following registry entries so this copy will be run each time Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System-Config = "msptmf32.com"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\System-Config = "msptmf32.com"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System-Config = "msptmf32.com"

Lioten.FA also adds the following entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "gayZZ.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "gayZZ.exe"

Method of Distribution

Via Network Shares

Win32.Lioten.FA is capable of spreading in the same way as previous Lioten variants. It continually tries to infect remote machines, generating random IP addresses to target. It tries to connect to each target on port 445. If this is successful, it then looks for a share called " ipc$ ". If this is found, the worm tries to infect the remote system.

The worm tries to copy itself to the following locations on the remote system:

c$\msptmf32.com
c$\winnt\system32\msptmf32.com
Admin$\system32\msptmf32.com

The worm tries to connect to the above shares using an extensive list of predefined passwords.

Payload

Backdoor Functionality

Lioten.FA contains code from Win32.Sdbot, giving it IRC backdoor functionality. It connects to an IRC server and joins a channel; it then acts as an IRC bot, waiting for instructions from the channel. It supports similar commands to most Sdbot variants.

The backdoor functions supported include:

Performing denial of service attacks (UDP, ICMP and SYN flooding)
Killing processes and threads
Downloading files
Executing programs
Updating itself

The worm makes outgoing connections to IRC servers. As with legitimate IRC programs, this worm listens on TCP port 113 (this is required by some IRC servers for authentication purposes.).

Disallows Applications

Lioten.FA prevents a user from running the following applications:

AVPCC.EXE
CFGWIZ.EXE
NAVAPW32.EXE
NETSTAT.EXE
OGRC.EXE
PCCCLIENT.EXE
PCCGUIDE.EXE
REGEDIT.EXE
TDS-3.EXE
THGUARD.EXE

The worm accomplishes this by adding the above names to the registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun

When a user attempts to execute any of the above programs the system shows the following error dialogue: