Type
: Worm
Category
: Win32
Also known as:
W32.Esbot.B (Symantec), WORM_ESBOT.C (Trend), Win32/Esbot.C!Worm, W32/Hwbot-B (Sophos), Backdoor.Win32.IRCBot.ex (Kaspersky)
Immediate Protection Info
| Signature | Product | Removal Instructions |
|---|
23.70.12
| eTrust Antivirus v7/8* (InoculateIT Engine)
| |
11.x/9345
| eTrust Antivirus v7/8* (Vet Engine)
| |
6.2x/9345
| eTrust EZ Antivirus 6.2x
| |
6.3x/9345
| eTrust EZ Antivirus 6.3x
| |
6.4x/9345
| eTrust EZ Antivirus 6.4x
| |
7.x/9345
| eTrust EZ Antivirus 7.x
| |
10.6x/9345
| Vet Anti-Virus 10.6x
| |
Description
Win32.Esbot.C is a worm that spreads by exploiting the Microsoft Windows Plug and Play service buffer overflow vulnerability. The worm can also be used as a backdoor that allows its remote controller unauthorized access to the affected machine. It has been distributed as a 8,219-byte, MEW-packed, Win32 executable.
Back to top
Method of Infection
When executed, Esbot.C copies itself to %System%\wpa.exe, and adds the following service:
Service name: wpa
Display name: Windows Product Activation
Path to executable: %System%\wpa.exe
Startup type: Automatic
Service description: "Windows Product Activation is an anti-piracy technology designed to verify that software products have been legitimately licensed."
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
The worm also creates a mutex called wpa to ensure only one copy runs at a time.
After installing itself, the worm starts an instance of explorer.exe and injects code into that process. This code deletes the original copy of the worm after it has run.
Back to top
Payload
Backdoor Functionality
The worm can be used as an IRC-controlled backdoor, allowing a remote user to gain unauthorized access to the infected machine.
The worm connects to an IRC server on port 37702 and joins a particular channel. It then waits for instructions from the channel. The worm can be instructed to perform the following actions on the affected machine:
- Scan for other machines to infect by exploiting the Microsoft Windows Plug and Play service buffer overflow vulnerability (see above).
- Launch Denial of Service attacks
- Download files using HTTP and execute them
Modifies System Settings via the Registry
The worm sets the following registry values:
HKLM\software\microsoft\ole\enabledcom = "n"
HKLM\system\currentcontrolset\control\lsa\restrictanonymous = 1
The first registry modification disables DCOM support in Windows.
The second registry modification disallows the enumeration of accounts from remote machines.
It also creates an empty file called %Windows%\Debug\dcpromo.log. This is a read-only file which can stop the Microsoft Windows LSASS buffer overflow vulnerability from being exploited. For more information on this vulnerability, please see:
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=27886
http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx
These actions are most likely put in place by the worm in order to shield the machine from further compromise by other worms known to spread via network shares and by exploiting particular vulnerabilities, including the LSASS vulnerability mentioned above and the Microsoft Windows RPCSS malformed DCOM message buffer overflow vulnerabilities. For more information on this, please see:
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=25975
Note: '%Windows%' is a variable location. The malware determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Analysis by Hamish O'Dea
Back to top