Win32/Slenfbot is a worm that can spread via instant messaging programs, which may include MSN Messenger, Yahoo Messenger and Skype. It may also spread via removable drives or by exploiting the
MS06-040 vulnerability. This worm spreads automatically via shares, but must be ordered to spread via exploit or instant messaging by a remote attacker. The worm also contains backdoor functionality that allows unauthorized access to an affected machine.
Installation
When executed, Win32/Slenfbot copies itself to the <system folder> with a filename that differs according to variant and sets the attributes for this copy to read only, hidden and system. It modifies the registry to run this copy at each Windows start. For example, Worm:Win32/Slenfbot.A copies itself to <system folder>\nvsvc64.exe and makes the following modification to the registry:
Adds value: "nVidia Display Driver"
With data: "nvsvc64.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Some variants instead modify the registry to install themselves as the debugger for the clean system file ctfmon.exe, and to ensure that ctfmon.exe runs on system startup, thus launching the malware. For example Worm:Win32/Slenfbot.AJL makes the following changes:
Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "ctfmon.exe"
With Data: "ctfmon.exe"
Under key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image FileExecution Options\ctfmon.exe
Adds value: "Debugger"
With Data: "wmitxdsc.exe"
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The worm makes a further registry modification that causes the copy of the worm that was executed originally to be deleted when the system restarts:
Sets value: "PendingFileRenameOperations"
With data: "<original malware executable>"
Under key: HKLM\System\CurrentControlSet\Control\Session Manager
However, most also attempt to immediately delete the original copy of the worm.
When first run, the some variants of the worm check if Messenger is running by looking for a Window with the class name "MSBLWindowClass". If it finds this window, it displays the following fake error message:
Title: Windows Picture and Fax Viewer
Message: Critical Error: Failed to load image header.
If launched from a removable drive, some variants may open a copy of Windows Explorer displaying the contents of the affected drive.
Some Slenfbot variants inject a thread into explorer.exe that periodically checks for the existence of their file in the %system% directory. If the file has been removed, it downloads a new copy from a specified server and launches this copy.
Spreads Via…
Instant messaging
This worm can be ordered to spread via MSN Messenger by a remote attacker using the worm's backdoor functionality (see Payload below for additional detail). Some variants may also spread via Yahoo Messenger and Skype. When the attacker orders the worm to spread via MSN Messenger, they must provide the following three parameters:
A URL containing a list of possible messages to send, along with the worm itself, to MSN Messenger contacts. The worm chooses from this list at random.
A file name for a ZIP archive. The worm creates a ZIP archive containing a copy of itself in the temporary folder with this name. The worm sends this ZIP archive to MSN Messenger contacts.
A file name for the worm's executable inside the ZIP archive.
Removable Drives
Win32/Slenfbot may attempt to spread via removable drives, except drives A and B. It does this by creating a directory called RECYCLER in the root of the removable drive. In then creates another directory underneath that with a name such as S-1-6-21-1257894210-1075856346-012573477-2315. The worm copies itself into this directory, with a file name such as “folderopen.exe”. For example:
E:\RECYCLER\S-1-6-21-1257894210-1075856346-012573477-2315\folderopen.exe
The worm also creates an autorun.inf file in the root directory of the drive in order to launch the worm if, for example, the drive is connected to another machine.
Some variants instead download an updated copy of themselves from a location specified in the worm, and write it to a directory with a name such as ~secure.
The worm sets the hidden and system attributes for all of the aforementioned directories and files.
Note: Due to a bug, Slenfbot may only create one directory rather than two, such as:
E:\RECYCLERS-1-6-21-1257894210-1075856346-012573477-2315\folderopen.exe
Payload
Backdoor Functionality
Slenfbot attempts to connect to a particular IRC server via a particular TCP Port. The channel and port number differ according to variant. It joins a channel and waits for commands. Using this backdoor, an attacker can perform the following actions on an affected machine:
When the attacker orders the worm to send an arbitrary file via MSN Messenger, they must provide all of the parameters used when spreading vis Messenger, plus a fourth:
Modifies Hosts File
Slenfbot replaces <system folder>\drivers\etc\hosts with a file that contains the following:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#
This text is followed by 90 blank lines, presumably to make the file appear empty on casual inspection. After the blank lines it writes several entries to direct the following anti-virus and security related domains to localhost (127.0.0.1) or to a random IP address, thereby preventing the user from visiting these domains.
For example, Worm:Win32/Slenfbot.AJL blocks access to the following domains:
13iii.com
acs.pandasoftware.com
acs.pandasoftware.com
ad-aware-se.uptodown.com
ad.harrenmedianetwork.com
ad13.geekstogo.com
aknow.prevx.com
alerta-antivirus.inteco.es
alerta-antivirus.inteco.es
alerta-antivirus.red.es
alfrasha.maktoob.com
andymanchesta.com
andymanchesta.com
anggiawan.web.id
angui123.cn
answers.yahoo.com
anti-virus-software-review.toptenreviews.com
antitrick.com
antonbi.web.id
ar.answers.yahoo.com
ariefew.com
artsoftdesign.com
atazita.blogspot.com
avast-home.uptodown.com
avg.vo.llnwd.net
ba-k.com
baike.360.cn
baike.360.com
banes-pages.blogspot.com
bb1.th3kings.net
bbs.360safe.cn
bbs.360safe.cn
bbs.360safe.com
bbs.360safe.com
bbs.cfan.com.cn
bbs.duba.net
bbs.ikaka.com
bbs.kafan.cn
bbs.kafan.com
bbs.kaspersky.com.cn
bbs.kpfans.com
bbs.s-sos.net
bbs.taisha.org
bbs.winzheng.com
beniono.wordpress.com
beta.eset.com
bisnismudahsaja.blogspot.com
blog.hispasec.com
blog.rnsafe.com
blog.threatfire.com
blogs.icerocket.com
blokvesti.net
board.protecus.de
board.softpedia.com
boardreader.com
bokwer.com
bub.th3kings.net
ca.answers.yahoo.com
cairopt.net
cairopt.net
cert.inteco.es
changelog.fr
cit.kookmin.ac.kr
club.myce.com
cmmings.cn
codehard.wordpress.com
cofradia.org
community.mcafee.com
community.norton.com
community.thaiware.com
community.thaiware.com
comprolive.com
comprolive.vox.com
computadoras.migold.com
comunidad.wilkinsonpc.com.co
customer.symantec.com
danielorza.net
darkzone.in.th
debates.motos.net
deckard.geekstogo.com
destavision-forum.com
devbuilds.kaspersky-labs.com
devirusare.com
diamondcs.com.au
discussions.virtualdr.com
dl.360safe.com
dl2.agnitum.com
dlpe.antivir.com
dnl-eu8.kaspersky-labs.com
down.360safe.cn
down.360safe.com
down.www.kingsoft.com
download.bleepingcomputer.com
download.bleepingcomputer.com
download.eset.com
download.f-secure.com
download.mcafee.com
download.microsoft.com
download.nai.com
download.sysinternals.com
download.zonealarm.com
downloads.andymanchesta.com
downloads.malwarebytes.org
downloads.novirusthanks.org
downloads.sophos.com
dr-web-cureit.softonic.com
egavisa.blogspot.com
es.answers.yahoo.com
es.answers.yahoo.com
es.kioskea.net
es.kioskea.net
es.mcafee.com
es.trendmicro-europe.com
es.wasalive.com
es.wasalive.com
esetnod32antivirus.blogspot.com
espanol.answers.yahoo.com
espanol.dir.groups.yahoo.com
espanol.groups.yahoo.com
fgp.e2doo.com
fgsite.com
file.ikaka.cn
file.ikaka.com
files.filefont.com
fineartschance.com
fixmyim.com
foro.el-hacker.com
foro.elhacker.net
foro.elhacker.net
foro.ethek.com
foro.infiernohacker.com
foro.msgpluslive.es
foro.noticias3d.com
foro.portalhacker.net
foros.3dgames.com.ar
foros.abcdatos.com
foros.mcanime.net
foros.softonic.com
foros.softonic.com
foros.toxico-pc.com
foros.zonavirus.com
forospyware.com
forum.aiutamici.com
forum.antivir-pe.de
forum.antivirus365.net
forum.avast.com
forum.avira.com
forum.avira.de
forum.bullguard.com
forum.bullguard.com
forum.burek.com
forum.chip.de
forum.clubedohardware.com.br
forum.clubedohardware.com.br
forum.dobreprogramy.pl
forum.drweb.com
forum.gsmhosting.com
forum.hardware.fr
forum.hijackthis.de
forum.hocit.com
forum.hocit.com
forum.kaspersky.com
forum.kaspersky.com
forum.kasperskyclub.com
forum.lowyat.net
forum.lrytas.lt
forum.malekal.com
forum.p30world.com
forum.piriform.com
forum.programosy.pl
forum.romeonet.ro
forum.securitycadets.com
forum.skype.com
forum.smadav.net
forum.smadav.net
forum.smadav.net
forum.softpedia.com
forum.swzone.it
forum.sysinternals.com
forum.telecharger.01net.com
forum.telecharger.01net.com
forum.torrents.ro
forum.tweaks.com
forum.zazana.com
forum.zebulon.fr
forums.afterdawn.com
forums.avg.com
forums.cnet.com
forums.comodo.com
forums.devshed.com
forums.eternion-wow.com
forums.maddoktor2.com
forums.malwarebytes.org
forums.overclockzone.com
forums.techguy.org
forums.techguy.org
forums.whatthetech.com
forums.whatthetech.com
forums.zonealarm.com
free.antivirus.com
free.avg.com
front.prevx.com
ftp.drweb.com
ftp.drweb.com
ftp.drweb.com
ftp.f-secure.com
ftp.pcpitstop.com
ftp01net.telechargement.fr
golpe.dyndns.org
gotoknow.org
greatis.com
gulaley.blogspot.com
guru.avg.com
guru0.grisoft.cz
guru1.grisoft.cz
guru2.grisoft.cz
guru3.grisoft.cz
guru4.grisoft.cz
guru5.grisoft.cz
hana-ahmad.blogspot.com
harrenmedianetwork.com
heavenward.ru
hi.baidu.com
hijackthis.download3000.com
hjt-data.trend-braintree.com
hjt.networktechs.com
housecall.trendmicro.com
housecall65.trendmicro.com
images.malwareremoval.com
in.answers.yahoo.com
info.prevx.com
inspiresoft.blogspot.com
irc.ekizmedia.com
irc.evoporn.com
irc.snahosting.net
it.answers.yahoo.com
justfane.blogspot.com
k2r.th3kings.net
kaba.360.cn
kaba.360.com
kaspersky.com
kb.eset.com
kr.ahnlab.com
ladooscuro.es
lexikon.ikarus.at
linhadefensiva.uol.com.br
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
lurker.clamav.net
mailcenter.rising.com
mailcenter.rising.com.cn
majorgeeks.com
malekal.com
malwarebytes-anti-malware.softonic.com
malwarebytes.org
mast.mcafee.com
melcy.wordpress.com
mks.com.pl
modelayu.com
msncleaner.softonic.com
msnfix.changelog.fr
msntubers.freehostia.com
mustlovewine.com
mvps.org
mx.answers.yahoo.com
mx.answers.yahoo.com
mx.answers.yahoo.com
myantispyware.com
new.taringa.net
news.support.veritas.com
nitroamd.spaces.live.com
nod32-antivirus.en.softonic.co
ntfaq.co.kr
oldtimer.geekstogo.com
onecare.live.com
oolbar.cyberdefender.com
ot-indo.blogspot.com
p3dev.taringa.net
pastebin.com
pcvids.wordpress.com
pogonyuto.forospanish.com
poolcoversite.com
positiveroot.wordpress.com
psychoski.blogspot.com
quickscan.bitdefender.com
rareartonline.com
regfixerror.pctools.revenuewire.net
research.pandasecurity.com
research.sunbelt-software.com
rootrepeal.googlepages.com
rootrepeal.psikotick.com
sabithpocker.blogspot.com
safecomputing.umn.edu
samroeng.hi5.com
sapcupgrades.com
scanner.virus.org
search.mcafee.com
secubox.aldria.com
secunia.com
secure.sophos.com
security.symantec.com
securityresponse.symantec.com
securitywonks.net
service1.symantec.com
sf.tapuz.co.il
share.skype.com
share.skype.com
shield.prevx.com
shitit.net
shop.symantecstore.com
shv4.ath.cx
simplyrudz.blogspot.com
sip4.voipkosovasite.com
sis-admin.blogspot.com
smadaver.com
sniff.runescapetube.com
social.answers.microsoft.com
social.microsoft.com
software-files.download.com
softwaresecuritysolutions.com
solit.us
somostuyyounnuevodiaoficial.obolog.com
sophos.com
sopiansantosa.blogspot.com
sosvirus.changelog.fr
sosvirus.changelog.fr
spywarefiles.prevx.com
spywarehammer.com
static.commentcamarche.net
stdio-labs.blogspot.com
store.norton.com
story.dnsentrymx.com
subs.geekstogo.com
support.emsisoft.com
support.f-secure.com
support.kaspersky.com
swandog46.geekstogo.com
tech.pantip.com
tech.pantip.com
thaicert.nectec.or.th
thailand.itmylike.com
thedudesemo.blogspot.com
thejokerx.blogspot.com
topsy.com
trbotnet.sytes.net
trialware.norton.com
uk.answers.yahoo.com
universomanualidades.foroactivo.com
update.360safe.cn
update.360safe.com
update.symantec.com
updatem.360safe.cn
updatem.360safe.com
upload.changelog.fr
us.mcafee.com
us3.download.comodo.com
us4.download.comodo.com
usa.kaspersky.com
v.dreamwiz.com
vaksin.com
vil.nai.com
vil.nail.com
virscan.org
virusinfo.info
virusinfo.prevx.com
wakoopa.com
wap.elakiri.com
wasteland-bg.com
wenwen.soso.com
whois.domaintools.com
www.2-spyware.com
www.247fixes.com
www.360.cn
www.360.com
www.360safe.cn
www.360safe.com
www.365groups.com
www.4-gsmteam.com
www.51nb.com
www.abgenis.net
www.alabamawomen.org
www.analysis.seclab.tuwien.ac.at
www.antirootkit.com
www.antivir.es
www.antivirus.about.com
www.antivirus.comodo.com
www.arenajunkies.com
www.arswp.com
www.askmehelpdesk.com
www.auditmypc.com
www.avast.com
www.avg-antivirus.net
www.avira.com
www.avp.com
www.avpclub.ddns.info
www.avsoft.ru
www.babooforum.com.br
www.bakunos.com
www.betterantivirus.com
www.bitdefender.com
www.bitdefender.es
www.bleedingthreats.net
www.bleepingcomputer.com
www.blindedbytech.com
www.blogschapines.com
www.bloodzone.net
www.box.net
www.ca.com
www.carigold.com
www.castlecops.com
www.castlecrops.com
www.cddchiangmai.net
www.cddchiangmai.net
www.cfan.com.cn
www.changedetection.com
www.chkrootkit.org
www.cisrt.org
www.clamav.net
www.clamwin.com
www.clubic.com
www.codelain.com
www.com-th.net
www.commentcamarche.net
www.commentcamarche.net
www.computerforum.com
www.computerhilfen.de
www.computing.net
www.configurarequipos.com
www.configurarequipos.com
www.corozilla.net
www.cwsandbox.org
www.cyberdefender.com
www.cybertechhelp.com
www.daboweb.com
www.daniweb.com
www.darkclockers.com
www.dazhizhu.cn
www.decido.de
www.devirusare.com
www.dicasweb.com.br
www.dl4all.com
www.dl4all.com
www.dougknox.com
www.downtr.net
www.drweb.com.es
www.duba.net
www.eeload.com
www.el-hacker.com
www.elakiri.com
www.elektroda.pl
www.elguruinformatico.com
www.elhacker.org
www.elitepvpers.de
www.eliters.com
www.emsisoft.com
www.emsisoft.de
www.eradicatespyware.net
www.eset-la.com
www.eset.com
www.eset.com
www.eset.eu
www.eudict.com
www.ewido.net
www.ewido.net
www.experts-exchange.com
www.f-prot.com
www.f-secure.com
www.faravirusi.com
www.feedage.com
www.file.net
www.fileresearchcenter.com
www.final4ever.com
www.firewallguide.com
www.fixya.com
www.forofantasiasmiguel.com
www.forospanish.com
www.forospyware.com
www.forospyware.es
www.forospyware.es
www.fortiguardcenter.com
www.fortinet.com
www.forum.kaspersky.com
www.forums.majorgeeks.com
www.free-av.com
www.free.avg.com
www.free.grisoft.com
www.freedrweb.com
www.freefixer.com
www.freespywareremoval.info
www.freshwap.net
www.ftw.ro
www.funkytoad.com
www.futurenow.bitdefender.com
www.gamexeon.com
www.geekpolice.net
www.geekstogo.com
www.geekstogo.com
www.gmer.net
www.greatis.com
www.grisoft.com
www.groupwhere.org
www.gsmph.com
www.gsmph.net
www.guiadohardware.net
www.guiadohardware.net
www.gyakorikerdesek.hu
www.gyakorikerdesek.hu
www.hijackthis.de
www.hijackthis.de
www.hotshare.net
www.housecall.trendmicro.com
www.housecall.trendmicro.com
www.huaifai.go.th
www.hvaonline.net
www.identi.es
www.ikaka.cn
www.ikaka.com
www.ikarus.net
www.incodesolutions.com
www.incodesolutions.com
www.indowebster.web.id
www.infos-du-net.com
www.infosecpodcast.com
www.infospyware.com
www.ipaddresser.com
www.ixtorrent.com
www.ixtorrent.com
www.jackbloodforum.com
www.javacoolsoftware.com
www.javacoolsoftware.net
www.jbtalks.cc
www.jiwang.org
www.judj.com
www.jvme.com
www.k7computing.com
www.kaldata.com
www.kaskus.us
www.kaspersky-labs.com
www.kaspersky.com
www.kaspersky.es
www.killtrojan.net
www.kosandpol.elakiri.com
www.krupunmai.com
www.kztechs.com
www.laneros.com
www.latest-virus.com
www.lavasoft.com
www.leforo.com
www.linhadefensiva.org
www.linkmania.ro
www.looktr.com
www.malekal.com
www.malwarebytes.org
www.malwarecrypt.com
www.malwareremoval.com
www.manuelruvalcaba.com
www.manuelruvalcaba.com
www.mcafee.com
www.mcanime.net
www.Merijn.org
www.messengeradictos.com
www.misec.net
www.mostz.com
www.mozilla-hispano.org
www.msnvirusremoval.com
www.mvps.org
www.mxttchina.com
www.mycity.rs
www.mypcsafe.com
www.mypcsafe.com
www.nabble.com
www.net-security.org
www.networkworld.com
www.nhatnghe.com
www.norman.com
www.offensivecomputing.net
www.onlinescan.avast.com
www.oprekpc.com
www.oprekpc.com
www.ozzu.com
www.pandasecurity.com
www.pandasecurity.com
www.pandasecurity.com
www.pantip.com
www.pc1news.com
www.pcentraide.com
www.pcentraide.com
www.pcguide.com
www.pchell.com
www.pchelpforum.com
www.pcsupportadvisor.com
www.pctools.com
www.pcwelt.de
www.pcworld.com
www.personal.psu.edu
www.personalfirewall.comodo.com
www.pinoyden.com
www.pinoyhackers.com
www.pinoytambaygroup.com
www.precisesecurity.com
www.prevx.com
www.protecus.de
www.psicofxp.com
www.quickheal.co.in
www.raymond.cc
www.regrun.com
www.resplendence.com
www.rising.com
www.rising.com.cn
www.rolandovera.com
www.rootkit.com
www.rootkit.nl
www.rss-verzeichnis.de
www.runscanner.net
www.safer-networking.org
www.sandboxie.com
www.securitynewsportal.com
www.securitystronghold.com
www.securitywonks.net
www.sergiwa.com
www.shitit.net
www.siteadvisor.com
www.smokey-services.eu
www.soccersuck.com
www.softonic.com
www.sophos.com
www.spamhaus.org
www.spyany.com
www.spybot.info
www.spybotupdates.com
www.spychecker.com
www.spywarecease.com
www.spywaredb.com
www.spywaredemon.com
www.spywarefri.dk
www.spywareinfo.com
www.spywareremovalblog.com
www.spywareterminator.com
www.sunbeltsecurity.com
www.sunbeltsoftware.com
www.superadblocker.com
www.superantispyware.com
www.superdicas.com.br
www.superdicas.com.br
www.superuser.co.kr
www.symantec.com
www.sysinternals.com
www.sz-pet.com
www.tallemu.com
www.tanya-it.com
www.taringa.net
www.taringa.net
www.techimo.com
www.techspot.com
www.techsupportforum.com
www.techsupportforum.com
www.tecno-soft.com
www.thaicert.org
www.thailandsusu.com
www.thaivisa.com
www.thecomputerpitstop.com
www.thehelper.net
www.thetechguide.com
www.thinkpad.cn
www.threatexpert.com
www.threatexpert.com
www.tongjimba.com
www.tpu.ro
www.trendmicro.com
www.trendsecure.com
www.trendsecure.com
www.trojaner-board.de
www.trucoswindows.es
www.trucoswindows.net
www.tweaksforgeeks.com
www.ulop.net
www.unhackme.com
www.usbcleaner.cn
www.utilidades-utiles.com
www.utilidades-utiles.com
www.velocidadmaxima.com
www.vietcaravan.us
www.viprasys.org
www.virscan.org
www.virus-com.com
www.viruschief.com
www.virusdoctor.jp
www.viruslist.com
www.virusspy.com
www.virusspy.com
www.virustotal.com
www.vivalared.com
www.vsantivirus.com
www.vupen.com
www.webimmune.net
www.webphand.com
www.webroot.com
www.whatthetech.com
www.wikio.es
www.wilderssecurity.com
www.winbots.es
www.windowexe.com
www.windowexe.com
www.worton.com
www.xmarks.com
www.yoreparo.com
www.ziggamza.net
www.zonavirus.com
www.zonavirus.com
www.zonavirus.com
www.zone-it.com
www.zonealarm.com
www.zonealarm.com
www.zyzoom.org
www2.gmer.net
www3.malekal.com
wwww.experts-exchange.com
wwww.mcafee.com
x.360safe.com
yourartmuseum.com
z-oleg.com
zastita.com
zastita.com
zenovy.com
zhidao.baidu.com
zhidao.ikaka.com
zone.arminboutique.com
Deletes Files
When first executed, Slenfbot runs the following commands:
CMD /C del /F /S /Q *.zip
CMD /C del /F /S /Q *.com
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com
These commands will delete files names named *.zip and *.com in the current directory and the user's "Received Files" directory, the location where Windows Messenger, by default, stores files it downloads. The intention of this is obviously to delete the original copy of the worm that was received via Messenger.
Modifies System Settings
Slenfbot deletes the following registry keys (and any subkeys and values they contain):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
It also makes the following registry modifications:
Sets value: "Disabletaskmgr"
With data: "1"
Under key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableSR"
With data: "1"
Under key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Sets value: "DisableConfig"
With data: "1"
Under key HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
Sets value: "Disableregistrytools"
With data: "1"
Under key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "NoClose"
With data:"1"
Under key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Sets value: "Start"
With data: "4"
Under key HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Under key: HKLM\Software\PoliciesMicrosoft\MRT
Sets value: "DontReportInfectionInformation"
With data: "1"
Under key: HKLM\Software\Microsoft\Security Center
Sets value: "AntiVirusOverride"
With data: "1"
Sets value: "AntiVirusDisableNotify"
With data: "1"
Sets value: "\FirewallOverride"
With data: "1"
Sets value: "FirewallDisableNotify"
With data: "1"
Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Sets value: "CheckedValue"
With data: "1"
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "2"
It may attempt to disable Data Execution Prevention by adding the following modification:
Sets value: “<system folder>\wmidtxdsc.exe”
With data: “DisableNXShowUI”
Under key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
It may attempt to give itself access through the Windows Firewall by making the following changes:
Under key: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Adds value: "C:\WINDOWS\system32\wmitxdsc.exe"
With Data: "C:\WINDOWS\system32\wmitxdsc.exe:*:Enabled:LAN Router"
Under key: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Adds value: "\C:\WINDOWS\system32\wmitxdsc.exe"
With Data: "C:\WINDOWS\system32\wmitxdsc.exe:*:Enabled:LAN Router"
Some variants periodically rewrite these changes in order to ensure that they have not been removed.
Terminates Processes
Slenfbot may terminate some or all of the following processes on an affected machine:
123.COM
123.EXE
A2HIJACKFREESETUP.EXE
AMPAWSMASHERX.EXE
APM.EXE
APORTS.EXE
APT.EXE
ASVIEWER.EXE
ATF-CLEANER.EXE
ATF-CLEANER.EXE
AUTORUNS.EXE
AVENGER.EXE
AVENGER.EXE
AVG_AVWT_STB_EN_9_40_FREE.EXE
AVGARKT.EXE
AVINSTALL.EXE
AVIRA_ANTIVIR_PERSONAL_EN.EXE
AVZ.EXE
AVZ.EXE
BC5CA6A.EXE
BITDEFENDER_ANTIVIRUS.EXE
BOOTSAFE.EXE
BUSCAREG.EXE
CATCHME.EXE
CF9409.EXE
COMBO-FIX.EXE
COMBOFIX.BAT
COMBOFIX.COM
COMBOFIX.EXE
COMBOFIX.SCR
COMPAQ_PROPIETARIO.EXE
CPF.EXE
CPORTS.EXE
CPROCESS.EXE
CUREIT.EXE
DARKSPY105.EXE
DELAYDELFILE.EXE
DLLCOMPARE.EXE
DLLHOSTS.EXE
DRWEB-600-WIN-PRO-X86.EXE
DUBATOOL_AV_KILLER.EXE
EAV_NT32_ENU.MSI
EAV_NT64_ENU.MSI
ELISTA.EXE
ESCW_90_SA_SFX.EXE
EULALYZERSETUP.EXE
FILEALYZ.EXE
FILEFIND.EXE
FIXBAGLE.EXE
FIXPATH.EXE
FOLDERCURE.EXE
FPORT.EXE
FSB.EXE
FSBL.EXE
GMER.EXE
GUARD.EXE
GUARDXKICKOFF.EXE
GUARDXSERVICE.EXE
HACKMON.EXE
HELIOS.EXE
HIJACK-THIS.EXE
HIJACKTHIS.EXE
HIJACKTHIS_SFX.EXE
HIJACKTHIS_V2.EXE
HJ.EXE
HJTINSTALL.EXE
HJTSETUP.EXE
HOOKANLZ.EXE
HOOKANLZ.EXE
HOSTSFILEREADER.EXE
ICESWORD.EXE
IEFIX.EXE
INSTALLWATCHPRO25.EXE
ISSDM_EN_32.EXE
JAJA.EXE
K7TS_SETUP.EXE
KAKASETUPV6.EXE
KILLAUTOPLUS.EXE
KILLBOX.EXE
LISTO.EXE
LORDPE.EXE
MBAM-SETUP.EXE
MBAM.EXE
MBAM.EXE
MBR.EXE
MRT.EXE
MRTSTUB.EXE
MSASCUI.EXE
MSMPENG.EXE
MSNCLEANER.EXE
MSNFIX.EXE
MYPHOTOKILLER.EXE
NAV-TW-30-17-1-0-19TBEN.EXE
NETALYZ.EXE
NETMON.EXE
NETSTAT.EXE
NS360S300EN
NTVDM.EXE
OBJMONSETUP.EXE
OLLYDBG.EXE
OTL.EXE
OTM.EXE
OTMOVEIT.EXEMBAM-SETUP.EXE
P08PROMO.EXE
PAVARK.EXE
PENCLEAN.EXE
PG2.EXE
PGSETUP.EXE
PORTDETECTIVE.EXE
PORTMONITOR.EXE
PREVX.EXE
PREVXCSIFREE.EXE
PROCDUMP.EXE
PROCESSMONITOR.EXE
PROCEXP.EXE
PROCMON.EXE
PROCMON.EXE
PROJECTWHOISINSTALLER.EXE
PSKILL.EXE
RAVP.EXE
REANIMATOR.EXE
REG.EXE
REGALYZ.EXE
REGCOOL.EXE
REGEDIT.COM
REGEDIT.SCR
REGISTRAR_LITE.EXE
REGMON.EXE
REGSCANNER.EXE
REGSHOT.EXE
REGSHOT.EXE
REGUNLOCKER.EXE
REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE
REGX2.EXE
RKD.EXE
ROOTALYZER.EXE
ROOTKIT_DETECTIVE.EXE
ROOTKITBUSTER.EXE
ROOTKITNO.EXE
ROOTKITREVEALER.EXE
ROOTREPEAL.EXE
SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE
SDFIX.EXE
SECCENTER.EXE
SEEM.EXE
SETUP_AV_FREE.EXE
SMASH.EXE
SMASH1.EXE
SMASH2.EXE
SMASH3.EXE
SMASH4.EXE
SMASH5.EXE
SMASH6.EXE
SMASH7.EXE
SMSNIFF.EXE
SPF.EXE
SPYBOTSD.EXE
SPYBOTSD160.EXE
SRENGLDR.EXE
SRENGLDR.EXE
SRENGPS.EXE
SRESTORE.EXE
STARTDRECK.EXE
SUPERANTISPYWARE.EXE
SUPERANTISPYWARE.EXE
SUPERKILLER.EXE
SYSANALYZER_SETUP.EXE
TASKKILL.EXE
TASKLIST.EXE
TASKMAN.EXE
TASKMON.EXE
TCPVIEW.EXE
TEATIMER.EXE
TrendMicro_TISPro_16.1_1063_x32.EXE
UNHACKME.EXE
UNIEXTRACT.EXE
UNLOCKER.EXE
UNLOCKER1.8.7.EXE
UNLOCKER1.8.7.EXE
UNLOCKERASSISTANT.EXE
USBGUARD.EXE
VBA32-PERSONAL-LATEST-ENGLISH.EXE
VIPRE.EXE
VIRUS.EXE
VIRUSUTILITIES.EXE
WINDOWS-KB890930-V2.2.EXE
WINDOWSDEFENDER.MSI
WIRESHARK.EXE
WITSETUP.EXE
ZLCLIENT.EXE
Deletes services
The worm may use the net stop, sc stop, sc config, and sc delete commands to stop, disable, and delete some of the following services:
CSIScanner
MsMpSvc
K7RTScan
K7TSMngr
avast! Antivirus
AntiVirService
PASRV
VSSERV
avg8wd
avg9wd
NOD32krn
ekrn
McShield
OutpostFirewall
TmPfw
KPF4
SmcService
cmdAgent
vsmon
SbPF.Launcher
SPF4
acssrv
SAVService
SAVAdminService
Sophos AutoUpdate Service
Sophos Client Firewall
Sophos Client Firewall Manager
Uses Stealth
Slenfbot is also capable of hiding its process from task manager.
Additional Information
Slenfbot variants create a mutex that also differs according to variant. For example, Worm:Win32/Slenfbot.A creates the mutex "I3.1".
Analysis by Hamish O'Dea and David Wood
