Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


PoeBot.F


Aliases:


PoeBot.F
Backdoor.Win32.PoeBot.f, W32/Poebot.CZ, W32/Backdoor.HKR, W32.Linkbot, W32/Poebot-N, WORM_POEBOT.AC, W32/Sdbot.worm.gen.l

Malware
Trojan
W32

Summary

Poebot.F is a member of SdBot backdoor family. SdBot is a large family of IRC-based backdoors. This particular variant is quite powerful, it uses several different exploits to spread to vulberable computers and it can steal confidential data from an infected computer.



Disinfection & Removal


Disinfection Utility

This utility provides the special disinfection utility to clean Nyxem.e infection from a computer. This disinfection utility is called F-Force and it can be downloaded from our web and ftp sites:

ftp://ftp.f-secure.com/anti-virus/tools/f-force.zip

http://www.f-secure.com/tools/f-force.zip

The utility is distributed only in a ZIP archive that contains the following files:

  • f-force.exe - the main executable file
  • eult.rtf - End User License Terms document
  • readme.rtf - Readme file in RTF format
  • readme.txt - Readme file in ASCII format

To unpack the archive please use the WinZip or similar archiver.

IMPORTANT!Please make sure that you read the End User License Terms document (Eult.rtf) and the Readme file (either Readme.txt or Readme.rtf) before using the F-Force utility!

The F-Force utility needs the archive with the latest updates in order to function properly. The archive's name is LATEST.ZIP and it should be downloaded and put into the same folder where the F-Force utility is located. This archive with the latest updates can be downloaded from these locations:

http://download.f-secure.com/latest/latest.zip

ftp://ftp.f-secure.com/anti-virus/updates/latest/latest.zip

Please note that the F-Force utility can disinfect only certain malicious programs. Besides the utility does not scan inside archives. So after cleaning a computer with the F-Force utility it is recommended to scan all hard drives with F-Secure Anti-Virus and the latest updates to make sure that no infected files remain there.

A trial version of F-Secure Anti-Virus and the latest updates can be downloaded from F-Secure's website:

http://www.f-secure.com/download-purchase/list.shtml

http://www.f-secure.com/download-purchase/updates.shtml



Technical Details

The backdoor's file is a Windows PE executable about 63 kilobytes long, packed with a file compressor. Some of the backdoor's strings are encrypted with a simple algorithm. The encryption key is not stored in the body of the backdoor, it is generated during runtime.

After the backdoor's file is run, it copies itself to Windows System folder and creates a startup key value for its file in Windows Registry. The backdoor can copy itself with any of the following names:

  • lssas.exe
  • Isass.exe
  • csrs.exe
  • logon.exe
  • winIogon.exe
  • explorer.exe
  • winamp.exe
  • firewall.exe
  • spoolsvc.exe
  • spooIsv.exe
  • algs.exe
  • iexplore.exe

The following startup keys may be created under the following Registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


Startup key values can be:

"Local Security Authority Service" = "%WinSysDir%\lssas.exe
""Local Security Authority Service" = 
"%WinSysDir%\Isass.exe""Client Server Runtime Process" = 
"%WinSysDir%\csrs.exe""Windows Logon Application" = 
"%WinSysDir%\logon.exe""Windows Logon Application" = 
"%WinSysDir%\winIogon.exe""Windows Explorer" = 
"%WinSysDir%\explorer.exe""Winamp Agent" = 
"%WinSysDir%\winamp.exe""Windows Network Firewall" = 
"%WinSysDir%\firewall.exe""Spooler SubSystem App" = 
"%WinSysDir%\spoolsvc.exe"Spooler SubSystem App" = 
"%WinSysDir%\spooIsv.exe""Application Layer Gateway Service" = 
"%WinSysDir%\algs.exe""Microsoft Internet Explorer" = 
"%WinSysDir%\iexplore.exe"


where %WinSysDir% represents Windows System folder. On Windows XP systems it is usually C:\Windows\System32\ folder.

After installation the backdoor connects to an IRC server and creates a bot in a specific channel. A hacker who is present in a channel can control the backdoor by sending specific commands to a bot. After installation the backdoor deletes the file that it was originally started from.

The backdoor has the following capabilities:

  • joins and parts IRC channels, changes nick, creates clones, sends raw command, sends messages and notices, floods channels
  • runs IDENTD server on a specified port
  • scans for vulnerable computers using a number of exploits (see below) and reports to a hacker
  • tries to spread to network shares, bruteforces share passwords using the hardcoded list
  • steals logins and passwords (cached passwords, FlashFXP passwords, IE site passwords, MSN passwords)
  • steals Outlook account information (SMTP and POP server names, logins and passwords)
  • steals HTTP e-mail server logins and passwords (Hotmail)
  • sniffs network traffic (packet sniffer)
  • downloads and runs files on an infected computer
  • opens a pipe-based remote command shell on an infected computer
  • act as a proxy server on a selected port
  • collects information about an infected system (software and hardware configuration)
  • finds and terminates competing bots
  • performs a DoS (Denial of Service) attack
  • updates itself from Internet
  • lists processes paying attention on processes with the specific names (games mostly)

The following exploits are used by the backdoor to spread to vulnerable computers:

  • ASN.1 (MS04-007), ports 80, 139, 445
  • LSASS (MS04-011), port 445
  • DCOM-RPC (MS04-012), port 135
  • WKSSVC (MS03-049), ports 135, 445
  • WEBDAV (MS03-007), port 80
  • UPNP (MS05-039), port 445MSSQL, port 1433DameWare, port 6129BackupExec, port 6101IceCast, port 8000SlabMail, port 110RealServer, port 554

The following list is used to bruteforce network share passwords:

  • administratoradministradoradministrateuradministrat
  • adminsadminadmaababcpassword1passwordpasswddbapass1234passpwd
  • 0071121231234123451234561234567123456781234567891234567890
  • workdeadlinepaydaysecret200020012002200320042005testguestnonedemo
  • computerunixlinuxchangemedefaultsystemserverrootnull
  • temptemp123qwertymailoutlookwebwwwinternetsexletmein
  • accountsaccountinghomehomeuseruseroemoemuser
  • oeminstallwwwadminwindowswin98win2kwinxpwinntwin2000qazasdzxcqwe
  • bobjenjoefredbillmikejohnpeterlukesamsuesusan
  • peterbrianleeneilianchrisericgeorgekatebobkatiemary
  • loginloginpasstechnicalbackupexchange
  • f*ckbitchslutsexgodmoneylovehellhello
  • domaindomainpassdomainpassworddatabaseaccessdb
  • passdbpassworddatabasepassdatadatabasepassworddb
  • 1db2db1234sasqlsqlpassoainstallorainstall
  • oracleibmciscodellcompaqsiemenshpnokiaxp
  • controlofficeblankwinpassmainlaninternetintranet
  • studentownerteacherstaff

The backdoor has a stub for the Ring0 code. This code is not available in this backdoor variant, but might be added into one of the future variants.



Detection

PoeBot.F is detected with the following F-Secure Anti-Virus updates:

Detection Type: PC
Database: 2006-01-04_05



Description Created: Alexey Podrezov, February 1, 2006
Description Last Modified: Alexey Podrezov, February 2, 2006



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.