第一个包:Backdoor.Win32.Vanbot.bf
第三个包:Backdoor.Win32.Vanbot.ay
第二个包和第四个包目前未发现异常。(-.-!)
Backdoor.Win32.Vanbot.bf
Backdoor.Win32.Vanbot.ay
均属于同一类。
Name : Rizo
Alias(别名): W32/IRCBot.XO, Backdoor.Win32.Rizo.c, Backdoor.Win32.VanBot.ad, Backdoor.Win32.Rbot.bmj
Type: Backdoor, Network Worm
Category: Trojan
Platform: Win32
Date of Discovery: October 18, 2006
Summary
Rizo is a family of IRC bot-based backdoors with network worm capabilities. Rizo can spread itself to remote computers with the help of an exploit. Unlike many other exploits that download a copy of malware from an already infected computer, Rizo's exploit downloads and runs a file from a website. Every time this website is accessed, a repacked variant is offered for download.
Disinfection
Disinfection of Network Worms
A network worm uses local network (LAN) to spread itsself, so to stop its spreading it is advised to temporarily take down a network until all workstations and servers are disinfected. A single infected workstation can re-infect already cleaned computers and ruin all previous disinfection attempts. However if F-Secure Anti-Virus version 5.40 or a later version is installed on computers connected to a local network, it is recommended to set disinfection action of the On-Access Scanner (OAS) to 'Disinfect Automatically'. Such action will allow to protect already cleaned workstations connected to an infected network from further re-infection by a network worm.
Detailed Description
Rizo is a backdoor-worm that spreads within local networks and via the Internet. When it arrives on an infected computer it copies itself to the Windows System folder with the name of winlogin32.exe and creates several startup strings in the Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
cpanel=%winsysdir%\winlogin32.exe
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
cpanel=%winsysdir%\winlogin32.exe
Being active, the backdoor connects to the following IRC servers:
ircc.debelizombi.com
xv21.debelizombi.com
Then the malware joins an IRC channel named #!v21! using the password 'tn10a4' without quotes. The port for connection is 8008.
The Rizo backdoor-worm can do any of the following:
Download and run files
Scan for vulnerable computers and spread to them
List and terminate processes
Join and part IRC channels, change nicks, change server
Send current IP address to a hacker
Report bot uptime to a hacker
Create remote command shell
Delete files
'Call home' by accessing the dl1.debelizombi.com website
The URL above can be also used to upgrade the copy of the backdoor. At the moment the page contains only the text string 'EMPTY'.
The exploit in the backdoor's body is partially encrypted. When sent over to a target computer, the exploit decrypts itself (simple XOR 0x99 operation), resolves several APIs, downloads a file to the Windows System folder from the dl1.debelizombi.com website and runs it. The name of the downloaded file is a.exe.
