W32/Vanebot-A

Category: Viruses and Spyware Protection available since:19 Aug 2006 00:00:00 (GMT)
Type: Win32 worm Last Updated:19 Aug 2006 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Vanebot-A is a worm and IRC backdoor Trojan for the Windows platform.

W32/Vanebot-A spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme, PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Vanebot-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

The worm may display the following fake error message:

Can't run on Windows
To run this file you must use an Linux emulator
Error code: (-2394)
Error discription: LLIBKCUF / File has remove his self.

W32/Vanebot-A may download updates, steal information and terminate anti-virus applications. W32/Vanebot-A is a worm and IRC backdoor Trojan for the Windows platform.

W32/Vanebot-A spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme, PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Vanebot-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

The worm may display the following fake error message:

Can't run on Windows
To run this file you must use an Linux emulator
Error code: (-2394)
Error discription: LLIBKCUF / File has remove his self.

W32/Vanebot-A may download updates, steal information and terminate anti-virus applications.

When first run W32/Vanebot-A copies itself to &ltSystem&gt\javanet.exe.

The following registry entries are created to run javanet.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
MS Java for Windows XP & NT
javanet.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MS Java for Windows XP & NT
javanet.exe

The following registry entry is changed to run javanet.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe javanet.exe

(The default value for this registry entry is "Explorer.exe" which causes the Microsoft file &ltWindows&gt\Explorer.exe to be run on startup.)

W32/Vanebot-A sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
&ltSystem&gt\userinit.exe,javanet.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

HKCU\Software\Microsoft\Windows
JavaNet
rBot v2 a.k.a. the next generation (working on winXP SP2)