W32/Vanebot-J is a worm and IRC backdoor Trojan for the Windows platform.
W32/Vanebot-J spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme, PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Vanebot-J runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Vanebot-J is a worm and IRC backdoor Trojan for the Windows platform.
W32/Vanebot-J spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme, PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Vanebot-J runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Vanebot-J copies itself to <System>\glossary.exe.
The following registry entries are created to run glossary.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RBot v2 with NetAPI exploit traded with billgates I gave my mother Greetz - OG - Bluehell Irc Server
<System>\glossary.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RBot v2 with NetAPI exploit traded with billgates I gave my mother Greetz - OG - Bluehell Irc Server
<System>\glossary.exe
The following registry entries are changed to run glossary.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <System>\glossary.exe
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\glossary.exe
(the default value for this registry entry is "<Windows>\System32\userinit.exe,").
W32/Vanebot-J sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1