W32/Fanbot-H is a mass-mailing and P2P worm and IRC backdoor Trojan for the Windows platform.
W32/Fanbot-H spreads by mailing itself to email addresses found on the local computer, copying itself to P2P folders and exploiting the PNP (MS05-039) vulnerability.
Messages sent by the worm have the following characteristics:
Subject: one of
Share Skype.
What is Skype?
Skype for Windows 1.4 - Have you got the new Skype?
Hello. We're Skype and we've got something we would like to share with you.
Your Account is Suspended.
*DETECTED* Online User Violation.
Your Account is Suspended For Security Reasons.
Warning Message: Your services near to be closed.
Important Notification!
Members Support.
Security measures.
Email Account Suspension.
Notice of account limitation.
Attachment name: one of
Skype-document.zip
readme.zip
Skype.zip
Skype-details.zip
Skype-info.zip
Skype-stuffs.zip
important-details.zip
account-details.zip
email-details.zip
account-info.zip
document.zip
account-report.zip
or a few randomly-chosen letters followed by the ZIP extension.
The ZIP file contains a copy of W32/Fanbot-H with the same basename and a double extension.
W32/Fanbot-H forges its sender address, using the same domain as the recipient and a username chosen from the following:
support
administrator
mail
service
admin
info
register
webmaster
noreply
W32/Fanbot-H will not spread to email addresses containing any of the following strings:
-._!@
-._!
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
messagelabs
support
.gov
gov.
.mil
foo.
antivi
f-pro
freeav
f-secur
kaspersky
mcafee
norman
norton
symantec
viruslis
jiangmin
rising
duba
berkeley
unix
math
mit.e
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
tanford.e
utgers.ed
mozilla
sourceforge
slashdot
sdbot
be_loyal:
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
bugs
rating
site
contact
soft
somebody
privacy
service
help
submit
feste
gold-certs
the.bat
page
admin
icrosoft
ntivi
listserv
certific
accoun
master
fcnz
abuse
.edu
When first run W32/Fanbot-H copies itself to <System>\remote.exe and installs itself as a service with the display name "Remote Procedure Call (RPC) Remote".
W32/Fanbot-H makes copies of itself in folders whose names contain any of the following strings:
share
sharing
incoming
download
bear
donkey
htdocs
http
kazaa
lime
morpheus
mule
upload
soft
The copies will have the following names:
'K.jpg.pif
1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
angels.pif
activation_crack.exe
AcrobatReader_New.exe
ACDSee 10.exe
Adobe Photoshop 10 crack.exe
Adobe Photoshop 10 full.exe
Adobe Premiere 10.exe
Ahead Nero 8.exe
Altkins Diet.doc.exe
American Idol.doc.exe
Arnold Schwarzenegger.jpg.exe
Bifrost.scr
Butterfly.scr
BlackIce_Firewall_Enterpriseactivation_Crack.exe
Best Matrix Screensaver new.scr
Britney sex xxx.jpg.exe
Britney Spears and Eminem porn.jpg.exe
Britney Spears blowjob.jpg.exe
Britney Spears cumshot.jpg.exe
Britney Spears fuck.jpg.exe
Britney Spears full album.mp3.exe
Britney Spears porn.jpg.exe
Britney Spears Sexy archive.doc.exe
Britney Spears Song text archive.doc.exe
Britney Spears.jpg.exe
Britney Spears.mp3.exe
cool screensaver.scr
Clone DVD 6.exe
Cloning.doc.exe
Cracks & Warez Archiv.exe
doom2.doc.pif
dcom_patches.exe
dictionary.doc.exe
dolly_buster.jpg.pif
Dark Angels new.pif
Dictionary English 2004 - France.doc.exe
DivX 8.0 final.exe
Doom 3 release 2.exe
e.book.doc.exe
e-book.archive.doc.exe
eminem - lick my pussy.mp3.pif
E-Book Archive2.rtf.exe
Eminem blowjob.jpg.exe
Eminem full album.mp3.exe
Eminem Poster.jpg.exe
Eminem sex xxx.jpg.exe
Eminem Sexy archive.doc.exe
Eminem Song text archive.doc.exe
Eminem Spears porn.jpg.exe
Eminem.mp3.exe
firefox-1.6a1.en-US.win32.installer.exe
Full album all.mp3.pif
Gimp 1.8 Full with Key.exe
how to hack.doc.exe
Harry Potter 1-6 book.txt.exe
Harry Potter 5.mpg.exe
Harry Potter all e.book.doc.exe
Harry Potter e book.doc.exe
Harry Potter game.exe
Harry Potter.doc.exe
How to hack new.doc.exe
icq2005-final.exe
Internet Explorer 9 setup.exe
'K.jpg.pif
Kula.scr
Kula.jpg.pif
Kazaa Lite 4.0 new.exe
Kazaa new.exe
Keygen 4 all new.exe
Learn Programming 2004.doc.exe
Lightwave 9 Update.exe
matrix.scr
MSN7-final.exe
Maxthon_New.exe
max payne 2.crack.exe
Magix Video Deluxe 5 beta.exe
Matrix.mpg.exe
Microsoft Office 2003 Crack best.exe
Microsoft WinXP Crack full.exe
MS Service Pack 6.exe
nuke2004.exe
netsky source code.scr
Norton Anti-Virus 2005 beta.exe
Office_Crack.exe
Opera 11.exe
porno.scr
programming basics.doc.exe
Partitionsmagic 10 beta.exe
Porno Screensaver britney.scr
Rain.scr
rfc compilation.doc.exe
RealPlayer_New.exe
RFC compilation.doc.exe
Ringtones.doc.exe
Ringtones.mp3.exe
Serial.txt.exe
strippoker.exe
Super Dollfie.pif
Strip-Girl-2.0b.exe
Serials 2005_New.exe
Saddam Hussein.jpg.exe
Screensaver2.scr
Serials edition.txt.exe
Smashing the stack full.rtf.exe
Star Office 9.exe
TouchNet Browser 1.29b.exe
Teen Porn 15.jpg.pif
The Sims 4 beta.exe
UltraEdit-32 12.01 + Cracker.exe
Ulead Keygen 2004.exe
virii.scr
Visual Studio Net Crack all.exe
Winamp5.exe
Winxp_Crack.exe
Win Longhorn.doc.exe
Win Longhorn re.exe
WinAmp 13 full.exe
Windows 2000 Sourcecode.doc.exe
Windows 2003 crack.exe
Windows XP crack.exe
WinXP eBook newest.doc.exe
XXX hardcore pics.jpg.exe
W32/Fanbot-H terminates the following processes:
PFW.exe
Rfw.exe
rfwsrv.exe
RfwMain.exe
KAVPFW.exe
KAVPFW.EXE
Zonealarm.exe
Iparmor.exe
system.exe
adam.exe
EGhost.exe
Blackd.exe
Blackice.exe
fint2005.exe
Trojanwall.exe
pm.exe
knlps.exe
knlsc13.exe
IceSword.exe
KillBox.exe
HijackThis.exe
a2hijackfree.exe
rkdetector.exe
RootkitRevealer.exe
ProcessExplorer.exe
aports.exe
KATMain.EXE
KAV32.EXE
KAVDX.EXE
KAVLog2.EXE
KAVStart.EXE
KMailMon.EXE
KPFWSvc.EXE
KRecycle.EXE
KShrMgr.EXE
KAVStart.exe
KWatch.EXE
KWatch9x.EXE
Rescue.EXE
SetupWiz.EXE
TrojanDetector.EXE
Update.EXE
LRSend.exe
CfgWiz.exe
HNetWiz.exe
ccEmFlSv.exe
iamstats.exe
ISSVC.exe
ALEScan.exe
AlertAst.exe
ALEUpdat.exe
navustub.exe
DWHWizrd.exe
DefWatch.exe
VPTray.exe
LDVPREG.exe
SymClnUp.exe
SavRoam.exe
Rtvscan.exe
VPDN_LU.exe
VPC32.exe
LuaWrap.exe
ALUNOTIFY.EXE
AUPDATE.EXE
LSETUP.EXE
LUALL.EXE
LuComServer.EXE
LUInit.exe
NDETECT.EXE
SymantecRootInstaller.exe
CCenter.exe
RavXP.exe
RavTimer.exe
LangSet.exe
UpGrade.exe
SmartUp.exe
Rav.exe
RsConfig.exe
MDAC.EXE
RavMon.exe
RavMonD.exe
RavStore.exe
InBuild.exe
ScanBD.exe
RavHDBak.exe
WriteCan.exe
BackRav.exe
RavPatch.exe
MakeBoot.exe
SMARTDRV.EXE
RAVDOS.EXE
RegGuide.exe
RegClean.exe
MsAgent.exe
AgtX0404.exe
AgtX0411.exe
AgtX0804.exe
RsAgent.exe
rssms.exe
RavStub.exe
KRegEx.exe
kvdetech.exe
KvDetect.exe
KVDOS.exe
KVOL.exe
kvolself.exe
KVSrvXP.exe
kvupload.exe
kvwsc.exe
KVCenter.kxp
kvdisk.kxp
KVMonXP.kxp
KvReport.kxp
KVScan.kxp
KVStory.kxp
KVStub.kxp
KvXP.kxp
TrojDie.kxp
UnInstall.kxp
VirusBox.kxp
Cleanup.exe
CmdAgent.exe
FrameworkService.exe
FrmInst.exe
McScript.exe
naPrdMgr.exe
UpdaterUI.exe
McScript_InUse.exe
mcupdate.exe
scan32.exe
shstat.exe
mcconsol.exe
shcfg32.exe
VsTskMgr.exe
logparser.exe
csscan.exe
ScnCfg32.Exe
pireg.exe
Patch.exe
PCCBrows.exe
pccguide.exe
pcclient.exe
PccLog.exe
pccmain.exe
PcCmdCom.exe
Pccspyui.exe
PcCtlCom.exe
PCCTool.exe
PCCVScan.exe
REGSVR32.EXE
Tmntsrv.exe
TMOAgent.exe
TmPfw.exe
tmproxy.exe
TRA.EXE
TRIALMSG.exe
TSC.EXE
kavsend.exe
kavsvc.exe
kav.exe
botzor.exe
csm.exe
per.exe
wintbp.exe
mousebm.exe
wpa.exe
mousemm.exe
mousesync.exe
hpmanager.exe
Phantom.exe
scrigz.exe
picx.exe
servce.exe
hellmsn.scr
msnmsgs.exe
taskgmr.exe
coolbot.exe
antivirus_update.exe
bronstab.exe
smss.exe
eksplorasi.pif
IDTemplate.exe
CVT.exe
winhost.exe
winldr.exe
java.exe
McAffeAv.exe
nvchip4.exe
MSTask.exe
realsched.exe
rundll32.exe
SOUNDMAN.exe
W32/Fanbot-H appends entries to the Windows HOSTS file in order to prevent access to several computer security websites.
W32/Fanbot-H runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.