Worm:Win32/Slenfbot.ZD is a worm that can spread via MSN Messenger. The worm also contains backdoor functionality that allows unauthorized access to an affected machine. This worm does not spread automatically upon installation, but must be ordered to spread by a remote attacker.
Installation
When executed, Worm:Win32/Slenfbot.ZD copies itself to the <system folder> as "winmessengerlive.exe" and sets the attributes for this copy to read only, hidden and system. It modifies the registry to run this copy at each Windows start:
Adds value: "Windows MSN Live Messenger"
With data: "winmessengerlive.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The worm makes a further registry modification that causes the copy of the worm that was executed originally to be deleted when the system restarts:
Sets value: "PendingFileRenameOperations"
With data: "<original malware executable>"
Under key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
Most variants of Win32/Slenfbot inject code into Explorer's process which effectively causes the worm file to be “locked” by Explorer. The injected code opens the worm's file with "read" sharing mode to prohibit other processes from writing to or deleting the file. The injected code also checks for the existence of the worm's mutex every 10 seconds. If the mutex does not exist, it assumes the worm process has been terminated and attempts to run it again.
Spreads Via…
MSN Messenger
This worm can be ordered to spread via Messenger by a remote attacker using the worm's backdoor functionality (see Payload below for additional detail). When the attacker orders the worm to spread via MSN Messenger, they must provide the following three parameters:
-
A URL containing a list of possible messages to send, along with the worm itself, to MSN Messenger contacts. The worm chooses from this list at random.
-
A file name for a ZIP archive. The worm creates a ZIP archive containing a copy of itself in the temporary folder with this name. The worm sends this ZIP archive to MSN Messenger contacts.
-
A file name for the worm's executable inside the ZIP archive.
Payload
Backdoor Functionality
Slenfbot.ZD attempts to connect to an IRC server at seoul.asiasystems.info, join a channel and wait for commands. Using this backdoor, an attacker can perform the following actions on an affected machine:
When the attacker orders the worm to send an arbitrary file via MSN Messenger, they must provide all of the parameters used when spreading via Messenger, plus a fourth:
Deletes Files
When first executed, Slenfbot runs the following commands:
CMD /C del /F /S /Q *.zip
CMD /C del /F /S /Q *.com
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip
CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com
These commands will delete files names named *.zip and *.com in the current directory and the user's "Received Files" directory, the location where Windows Messenger, by default, stores files it downloads. The intention of this is obviously to delete the original copy of the worm that was received via Messenger.
Uses Stealth
Slenfbot is also capable of hiding its process from task manager.
Analysis by Aaron Putnam