WORM_SLENBOT.AB
a variant of Win32/Kryptik.SYB (Eset), Trojan.Win32.Genome.aabbm (Kaspersky), Win32.SuspectCrc (Ikarus), W32/Dx.BAGU!tr (Fortinet)
Windows
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Propagates via software vulnerabilities
This worm may be unknowingly downloaded by a user while visiting malicious websites.
It exploits software vulnerabilities to propagate to other computers across a network.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
34,304 bytes
EXE
19 Aug 2011
Connects to URLs/IPs
Arrival Details
This worm may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This worm drops the following files:
- \.\rotcetorp
- %User Profile%\userdiff.sav
- %System%\userdiff.sav
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
It drops the following copies of itself into the affected system:
- %User Profile%\{random filename}.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
MSConfig = "%User Profile%\{random filename}.exe \u"
It modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe"
Propagation
This worm exploits the following software vulnerabilities to propagate to other computers across a network: