Backdoor:Win32/Nirbot is a backdoor Trojan that targets certain versions of Microsoft Windows. The trojan connects to a specific IRC server to receive commands from attackers, which can include instructions to spread to other computers in various ways, such as through network shares, SQL servers, and the exploitation of particular vulnerabilities.
Installation
When run, Win32/Nirbot drops a copy of itself into the <system folder> as 'jwmngr.exe' and registers itself to run when Windows starts.
Adds value: <value>
With data: <system folder>\jwmngr.exe
In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Where <value> can be any of the following:
ATI Active Graphics Card Monitor
JW Manager
LEMSRV
Network Bridge
Random Interface Network Manager
Symmetrical Network
Syncronization
JW Manager
Spreads via…
Exploit
In order to spread across a network, this trojan attempts to exploit targeted machines with the following vulnerabilites:
Win32/Nirbot also targets computers running Microsoft SQL. It attempts to log on to the computer using account names and passwords from the following list:
administrator
administrador
administrateur
administrat
admins
admin
password1
password
passwd
pass1234
12345
123456
1234567
12345678
123456789
1234567890
guest
linux
changeme
default
system
server
qwerty
outlook
internet
accounts
accounting
homeuser
oemuser
oeminstall
windows
win98
win2k
winxp
winnt
win2000
peter
susan
peter
brian
chris
george
katie
login
loginpass
technical
backup
exchange
bitch
hello
domain
domainpass
domainpassword
database
access
dbpass
dbpassword
databasepass
databasepassword
db1234
sqlpassoainstall
orainstall
oracle
cisco
compaq
siemens
nokia
control
office
blank
winpass
internet
intranet
student
teacher
staff
If the target computer is vulnerable, the trojan sends a small amount of code that instructs the target machine to download a copy of the trojan from the attacking computer. Win32/Nirbot has an integrated tftp server and an http server that are used to host and spread the trojan. Additionally, Win32/Nirbot may use an SQL query to retrieve a copy of the trojan.
A third vector for this threat is to target computers with shares that also have weak authentication.
Payload
Backdoor Functionality: Port 8080
Win32/Nirbot attempts to connect to an Internet Relay Chat (IRC) server named 'z3n.phatcamp.org' using TCP port 8080 to await commands from an attacker. Using this backdoor, an attacker can perform the following actions on an affected machine:
-
gather information about the compromised system, including installed application CD keys
-
scan the network for vulnerable computers
-
launch a tftp/http server, or a socks proxy
-
download and execute files
-
update, or uninstall the trojan
