When the backdoor's file is activated on a computer, it copies its file to Windows System folder as 'wintbpx.exe' and then starts the copied file. Then it adds the following registry entries to ensure that it is started when a user logs on or the system is restarted:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Wintbpx" = "wintbpx.exe"
Spreading using PnP exploit
The backdoor has the ability to spread to remote computers using the PNP exploit on port 445. If the attack is successful a shell (cmd.exe) is started on port 8563. Through the shell port, the worm sends a tftp script which instructs the remote computer to download and execute the worm from the attacker computer using built-in TFTP server listening on port 69.
Here's the summary of the ports used in attack:
Please see the following page for detailed information on the vulnerability:
The backdoor tries to terminate and delete the files of the following processes:
wintbp.exe (Net-Worm.Win32.Bozori.a) [uses MS05-039 exploit] winpnp.exe (Backdoor.Win32.Rbot.ym) [uses MS05-039 exploit] mousebm.exe (Backdoor.Win32.IRCBot.es) [uses MS05-039 exploit] csm.exe (Net-Worm.Win32.Mytob.cf / Zotob.B) [uses MS05-039 exploit] botzor.exe (Net-Worm.Win32.Mytob.cd / Zotob.A) [uses MS05-039 exploit] pnpsrv.exe (Backdoor.Win32.Rbot.yk) [uses MS05-039 exploit] svnlitup32.exe (Backdoor.Win32.SdBot.yx) [uses MS05-039 exploit] upnp.exe (Backdoor.Win32.Codbot.ab) [doesn't use MS05-039 exploit] service32.exe llsrv.exe system32.exe
The backdoor connects to IRC server 18.104.22.168, joins an IRC channel called '#tbp' and creates a bot there. The attacker can instruct the bot to execute the following actions:
Exit bot Remove bot Download and execute files from the Internet