W32/Aozo.B

Analysis

Specifics
This 32-bit virus was coded using Visual Basic 6. The virus contains code to do these things on an infected system -

* send itself to other IRC users
* make itself available for download for some popular P2P applications
* enable sharing of all drives
* change the Internet Explorer start page to gayporn.com
* send PING attacks to three websites
* delete files in various folders
* terminate applications matching a hard-coded table of names

Load At Windows Startup
The virus will register itself to auto run at each Windows startup -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Configuration Loader" = C;\WINNT\system32/Windows Update.exe
"Msn Messenger" = C;\Mr_Zer0.exe
"Windows Update" = C;\WINNT\system/System.exe
Application Termination Payload
While the virus is running as a process in memory, it will monitor applications already running and any program started. If the window title or application file name matches any of these strings, the virus will attempt to close or terminate the application -

_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPMON.EXE
AVPNT.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CCAPP.EXE
CFIADMIN.EXE
ESAFE.EXE
CFIAUDIT.EXE
CFIND.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLAW95CT.EXE
CLEANER.EXE
CLEANER3.EXE
DV95.EXE
DV95_O.EXE
DVP95.EXE
DVP95_0.EXE
TerminateEXE
ECENGINE.EXE
EFINET32.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
FPROT95.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICMOON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JED.EXE
JEDI.EXE
KPF.EXE
KPFW32.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCAN.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVSCHED.EXE
NAVW.EXE
NAVW32.EXE
VET95.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VCONTROL.EXE
VET32.EXE
VET98.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSCAN40.EXE
VSSTAT.EXE
WEBSCAN.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZAPRO.EXE
zonealarm.EXE
mcafee.exe
navapsvc.exe
zaplus.exe
vsmon.exe
P2P Distribution Method
The virus may make itself available by copying itself to shared folders for the P2P applications listed in these file folders -

C:\Program Files\edonkey2000\incoming
C:\Program Files\bearshare\shared
C:\Program Files\eMule\incoming
C:\Program Files\morpheus\my shared folder
C:\Program Files\limewire\shared\

The virus may copy itself as any of these files names to those folders -

ebook Visual Basic 6 (Black Book 2004.exe
All Vb Codes.exe
Visual Basic 6 Decompiler.exe
Nuker 2004.exe
Hotmail Hacker Gold 2004 (Special Edition).exe
Msn Messenger 6x Crasher.exe
MirC Kick Bot.exe
Msn Messenger 6x Emotion Pack (More Than 1000).exe
Msblast - Patch.exe 6 Mydoom patch! (working).exe
Windows Keygen (ALL VERSION OF WINDOWS!).exe
Serials 2004.exe
Quake 4 (Demo Patch).exe
Norton 2004 (Crack).exe
Ddos Bot 2004.exe
Syn flooder 2004.exe
hentai game cd patch.exe
Pussi-Lover-Game.exe
Drug Wars 2004.exe
Sub 7 2004.exe
Sub 7 Password Cracker.exe
Hotmail Password Stealer.exe
w00t.exe
Yahoo bot 2004 (kick,pw stealer etc).exe
Aim bot 2004 .exe
aim kicker 2004.exe
Hackers Expert (hack the world!).exe
Quake 3 Aim bot.exe
Need for Speed Underground (BOTS).exe
Credit Card Genarator 2004.exe
Msn Webcam Hack (Watch any one with out them knowin!,MUST DOWNLOAD!).exe
Yahoo Webcam Hack.exe
Darkness_Krew (Mr_Zer0,n1tr0,Mr_Docktor,HeXcoN).exe
Optix pro 5.exe
My Doom (Get Rid Of The Nasty Worm!).exe

The virus may copy itself to various other operating system Startup folders -

C:\Win98\Start menu\Programs\Startup
C:\Win95\Start menu\Programs\Startup
Config.pif

C:\WinMe\Start menu\Programs\Startup
System.scr

C:\Windows\Start menu\Programs\Startup
Help.exe

mIRC Distribution Method
The virus contains code to send itself to others by making a change to the mIRC MIRC.ini configuration file for the Internet relay chat client mIRC only if it is installed or found in the "C:\Program Files\mIRC\" folder. If these words are used in a chat session -

*Hey*
*Hi*
*lo*
*Hiya*
*y0*
*asl*
Hey
Hi
lo
Hiya
y0
asl
Mr_Zer0 0wNz YaZ

The virus may send itself to the Nick$ that used the word.

Network Shares Creation
The virus may modify the registry to enable almost unlimited user connections but a typo prevents that from actually happening -

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\Shares
"Mr_Zer0" = CSCFlags=0 MaxUses=4294967295 Path=A:\ Permissions=63 Type=0

In addition, the virus may run a shell command instruction to share drives A through Z.

File Deletion Payload
The virus may attempt to delete files in various folders. Files with these extensions may be targeted -

*.exe
*.bat
*.dll
*.sys
*.ini
*.mp3
*.doc

The virus may remove the files from these folders -

c:\
c:\WINNT
c:\WINNT\system32
c:\windows
c:\My Shared Folder

Ping Attack Payload
The virus may issue a DoS attack against three websites by using a shell command instruction for each -

Ping -t mess.be -l 65500
Ping -t Symantec.com -l 65500
Ping -t download.com -l 65500

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option