Backdoor:Win32/WinBot often arrives in email disguised as a greeting card. Those who follow the link to download the card will actually be downloading a copy of the Trojan. When run, Backdoor:Win32/WinBot does the following:
- Drops the following files in %windir%\system folder:
fullname.txt
ident.txt
nicks.txt
aliases.ini
control.ini
mirc.ini
remote.ini
script.ini
servers.ini
users.ini
sup.bat
svchost.exe (may be infected with the Win32/Parite virus)
mirc.ico
sup.reg
popups.txt
Note: %windir% signifies the name of the Windows folder. By default, on Windows Vista, XP, ME, 98 and 95, this is C:\Windows. On Windows NT/2000, the default folder is C:\Winnt.
download
logs
sounds
- Modifies the registry to load the dropped svchost.exe file each time Windows is started:
Adds value: GNP Generic Host Process
With data: %windir%\system\svchost.exe
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Modifies the following registry entries:
Set "VoiceEnabled" = "1" under key HKCU\Software\Microsoft\Microsoft Agent
Set "(default)" = "1174867138", under key HKCU\Software\mIRC\DateUsed
Set "DisplayName" = "mirc", under key HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
Set "(default)" = "chatfile", under key HKLM\SOFTWARE\Classes\.cha
Set "(default)" = "chatfile", under key HKLM\SOFTWARE\Classes\.chat
Set "(default)" = "chat file", under key HKLM\SOFTWARE\Classes\ChatFile
Set "(default)" = ""%windir%\system\svchost.exe"", under key HKLM\SOFTWARE\Classes\ChatFile\DefaultIcon
Set "(default)" = ""%windir%\system\svchost.exe" -noconnect", under key HKLM\SOFTWARE\Classes\ChatFile\Shell\open\command
Set "(default)" = "%1", under key HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
Set "(default)" = "svchost", under key HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
Set "(default)" = "%1", under key HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
Set "(default)" = "connect", under key HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic
Set "(default)" = "url:irc protocol", under key HKLM\Software\Classes\irc
Set "(default)" = ""%windir%\system\svchost.exe"", under key HKLM\Software\Classes\irc\DefaultIcon
Set "(default)" = ""%windir%\system\svchost.exe" -noconnect", under key HKLM\SOFTWARE\Classes\irc\Shell\open\command
Set "(default)" = "%1", under key HKLM\Software\Classes\irc\Shell\open\ddeexec
Set "(default)" = "svchost", under key HKLM\Software\Classes\irc\Shell\open\ddeexec\Application
Set "(default)" = "%1", under key HKLM\Software\Classes\irc\Shell\open\ddeexec\ifexec
Set "(default)" = "connect", under key HKLM\Software\Classes\irc\Shell\open\ddeexec\Topic
- Opens and listens on TCP port 113 and UDP port 30167
