Padobot.m infects computers running under Windows. The worm itself is a Windows
PE EXE file approximately 10KB in size, packed using UPX. The unpacked file
is approximately 24KB in size.
The worm propagates by exploiting a vulnerability in Microsoft Windows LSASS.
This vulnerability is described in detail in
Microsoft Security Bulletin MS04-011
The worm contains a backdoor function.
Installation
Once launched, the worm copies itself to the Windows system directory under
a random name. For example:
%System%\gytotrn.exe
Then the worm registers this file as a key in the system registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Cryptographic Service" = "%System%\>random name<.exe"
This ensures that the worm will be launched each time the infected machine
is rebooted.
It also creates a registry key:
[HKLM\SOFTWARE\Microsoft\Wireless]
"ID" = "<random value>"
It creates the mutex "uterm19" to flag its presence in the system.
Propagation
The worm starts its propagation routine, selecting IP addresses to attack,
and sending a request to TCP port 445. If the remote computer responds, then
the worm launches its code on the victim machine, by utilizing the LSASS vulnerability.
Other
The worm opens a random TCP port in order to receive commands. The backdoor
function provides a malicious remote attacker with full access to the victim
machine.
Padobot.m attempts to receive commands and transmit data, while connecting
to several IRC channels:
- adult-empire.com
- asechka.ru
- citi-bank.ru
- color-bank.ru
- crutop.nu
- cvv.ru
- fethard.biz
- filesearch.ru
- kavkaz.tv
- kidos-bank.ru
- konfiskat.org
- master-x.com
- mazafaka.ru
- parex-bank.ru
- roboxchange.com
- www.redline.ru
- xware.cjb.net
Check out if we have free removal tool for this virus
