Skip to main content

Worm.Win32.Slenfbot_1e484c4dce


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Worm.Win32.Slenfbot!IK (Emsisoft)Behaviour: Trojan, Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 1e484c4dcec88c3f624e998254526881

SHA1: 67b0b09f97ec14b22bb558490bd7095f37d04533

SHA256: 6db56cbcda4dd03433853eb9a256644b776d799f32979658e13417a262f92c06

SSDeep: 1536:lEXzfXeRZhjgu5VQrBanw5nTN8a9B1IuAbWhVtVmAKTwL:6PyhjguLQrTTN8a93I7b2DV7K8L

Size: 73728 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6

Company: no certificate found

Created at: 2001-07-04 03:06:49

Analyzed on: WindowsXP SP3 32-bit

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):No processes have been created.The Worm injects its code into the following process(es):No processes have been created.

File activity

No files have been created.

Registry activity

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

The Worm modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 11177 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1msnfix.changelog.fr
127.0.0.1www.incodesolutions.com
127.0.0.1virusinfo.prevx.com
127.0.0.1download.bleepingcomputer.com
127.0.0.1www.dazhizhu.cn
127.0.0.1www.nabble.com
127.0.0.1lurker.clamav.net
127.0.0.1lexikon.ikarus.at
127.0.0.1research.sunbelt-software.com
127.0.0.1www.virusdoctor.jp
127.0.0.1www.elitepvpers.de
127.0.0.1www.superuser.co.kr
127.0.0.1ntfaq.co.kr
127.0.0.1v.dreamwiz.com
127.0.0.1cit.kookmin.ac.kr
127.0.0.1forums.whatthetech.com
127.0.0.1forum.hijackthis.de
127.0.0.1www.huaifai.go.th
127.0.0.1www.mostz.com
127.0.0.1www.krupunmai.com
127.0.0.1www.cddchiangmai.net
127.0.0.1forum.malekal.com
127.0.0.1tech.pantip.com
127.0.0.1sapcupgrades.com
127.0.0.1www.247fixes.com
127.0.0.1forum.sysinternals.com
127.0.0.1forum.telecharger.01net.com
127.0.0.1sophos.com
127.0.0.1foros.softonic.com
127.0.0.1avast-home.uptodown.com
127.0.0.1www.f-secure.com
127.0.0.1www.chkrootkit.org
127.0.0.1diamondcs.com.au
127.0.0.1www.rootkit.nl
127.0.0.1www.sysinternals.com
127.0.0.1z-oleg.com
127.0.0.1espanol.dir.groups.yahoo.com
127.0.0.1www.castlecrops.com
127.0.0.1www.misec.net
127.0.0.1safecomputing.umn.edu
127.0.0.1www.antirootkit.com
127.0.0.1www.greatis.com
127.0.0.1ar.answers.yahoo.com
127.0.0.1www.rootkit.com
127.0.0.1www.pctools.com
127.0.0.1www.pcsupportadvisor.com
127.0.0.1www.resplendence.com
127.0.0.1www.personal.psu.edu
127.0.0.1foro.ethek.com
127.0.0.1vil.nail.comm
127.0.0.1search.mcafee.com
127.0.0.1wwww.mcafee.com
127.0.0.1download.nai.com
127.0.0.1wwww.experts-exchange.com
127.0.0.1www.bakunos.com
127.0.0.1www.Merijn.org
127.0.0.1www.spywareinfo.com
127.0.0.1www.spybot.info
127.0.0.1www.viruslist.com
127.0.0.1www.hijackthis.de
127.0.0.1www.f-secure.com
127.0.0.1forum.kaspersky.com
127.0.0.1majorgeeks.com
127.0.0.1www.avp.com
127.0.0.1www.virustotal.com
127.0.0.1www.sophos.com
127.0.0.1linhadefensiva.uol.com.br
127.0.0.1cmmings.cn
127.0.0.1www.sergiwa.com
127.0.0.1www.avg-antivirus.net
127.0.0.1www.kaspersky-labs.com
127.0.0.1www.kaspersky.com
127.0.0.1www.bleepingcomputer.com
127.0.0.1www.free.grisoft.com
127.0.0.1securityresponse.symantec.com
127.0.0.1www.analysis.seclab.tuwien.ac.at
127.0.0.1www.symantec.com
127.0.0.1www.kztechs.com
127.0.0.1ad-aware-se.uptodown.com
127.0.0.1liveupdate.symantecliveupdate.com
127.0.0.1liveupdate.symantec.com
127.0.0.1customer.symantec.com
127.0.0.1update.symantec.com
127.0.0.1www.box.net
127.0.0.1www.mcafee.com
127.0.0.1www.free.avg.com
127.0.0.1download.mcafee.com
127.0.0.1mast.mcafee.com
127.0.0.1www.tecno-soft.com
127.0.0.1ladooscuro.es
127.0.0.1ftp.drweb.com
127.0.0.1guru0.grisoft.cz
127.0.0.1guru1.grisoft.cz
127.0.0.1guru2.grisoft.cz
127.0.0.1guru3.grisoft.cz
127.0.0.1download.bleepingcomputer.com
127.0.0.1it.answers.yahoo.com
127.0.0.1guru4.grisoft.cz
127.0.0.1guru5.grisoft.cz
127.0.0.1www.virusspy.com
127.0.0.1www.download.f-secure.com
127.0.0.1www.malwareremoval.com
127.0.0.1forums.cnet.com
127.0.0.1hjt-data.trend-braintree.com
127.0.0.1www.pantip.com
127.0.0.1secubox.aldria.com
127.0.0.1www.forospyware.com
127.0.0.1www.manuelruvalcaba.com
127.0.0.1www.zonavirus.com
127.0.0.1www.siteadvisor.com
127.0.0.1blog.threatfire.com
127.0.0.1www.threatexpert.com
127.0.0.1blog.hispasec.com
127.0.0.1www.configurarequipos.com
127.0.0.1sosvirus.changelog.fr
127.0.0.1mailcenter.rising.com.cn
127.0.0.1mailcenter.rising.com
127.0.0.1www.rising.com.cn
127.0.0.1www.rising.com
127.0.0.1www.babooforum.com.br
127.0.0.1www.runscanner.net
127.0.0.1sosvirus.changelog.fr
127.0.0.1upload.changelog.fr
127.0.0.1www.raymond.cc
127.0.0.1changelog.fr
127.0.0.1www.pcentraide.com
127.0.0.1atazita.blogspot.com
127.0.0.1www.final4ever.com
127.0.0.1files.filefont.com
127.0.0.1www.infos-du-net.com
127.0.0.1www.trendsecure.com
127.0.0.1forum.hardware.fr
127.0.0.1www.utilidades-utiles.comwww.spychecker.com
127.0.0.1www.geekstogo.com
127.0.0.1forums.maddoktor2.com
127.0.0.1www.smokey-services.eu
127.0.0.1www.clubic.com
127.0.0.1www.linhadefensiva.org
127.0.0.1download.sysinternals.com
127.0.0.1www.pcguide.com
127.0.0.1www.thetechguide.com
127.0.0.1www.ozzu.com
127.0.0.1www.changedetection.com
127.0.0.1espanol.groups.yahoo.com
127.0.0.1community.thaiware.com
127.0.0.1www.avpclub.ddns.info
127.0.0.1www.offensivecomputing.net
127.0.0.1www.grisoft.com
127.0.0.1boardreader.com
127.0.0.1www.guiadohardware.net
127.0.0.1www.msnvirusremoval.com
127.0.0.1www.cisrt.org
127.0.0.1fixmyim.com
127.0.0.1samroeng.hi5.com
127.0.0.1foro.elhacker.net
127.0.0.1www.daboweb.com
127.0.0.1service1.symantec.com
127.0.0.1forums.techguy.org
127.0.0.1www.incodesolutions.com
127.0.0.1hijackthis.download3000.com
127.0.0.1www.cybertechhelp.com
127.0.0.1www.superdicas.com.br
127.0.0.1downloads.andymanchesta.com
127.0.0.1andymanchesta.com
127.0.0.1info.prevx.com
127.0.0.1aknow.prevx.com
127.0.0.1www.zonavirus.com
127.0.0.1securitywonks.net
127.0.0.1www.lavasoft.com
127.0.0.1www.virscan.org
127.0.0.1www.eeload.com
127.0.0.1down.www.kingsoft.com
127.0.0.1www.file.net
127.0.0.1onecare.live.com
127.0.0.1mvps.org
127.0.0.1www.housecall.trendmicro.com
127.0.0.1www.avast.com
127.0.0.1www.free.avg.com
127.0.0.1www.onlinescan.avast.com
127.0.0.1www.ewido.net
127.0.0.1www.trucoswindows.net
127.0.0.1www.futurenow.bitdefender.com
127.0.0.1www.bitdefender.com
127.0.0.1www.f-prot.com
127.0.0.1www.trendsecure.com
127.0.0.1security.symantec.com
127.0.0.1oldtimer.geekstogo.com
127.0.0.1www.avira.com
127.0.0.1www.eset.com
127.0.0.1www.free.avg.com
127.0.0.1www.free-av.com
127.0.0.1kr.ahnlab.com
127.0.0.1www.eset.com
127.0.0.1forospyware.com
127.0.0.1thejokerx.blogspot.com
127.0.0.1www.2-spyware.com
127.0.0.1www.antivir.es
127.0.0.1www.prevx.com
127.0.0.1www.ikarus.net
127.0.0.1bbs.s-sos.net
127.0.0.1www.housecall.trendmicro.com
127.0.0.1www.superdicas.com.br
127.0.0.1www.forums.majorgeeks.com
127.0.0.1www.castlecops.com
127.0.0.1www.virusspy.com
127.0.0.1andymanchesta.com
127.0.0.1www.kaspersky.es
127.0.0.1subs.geekstogo.com
127.0.0.1www.trendmicro.com
127.0.0.1www.fortinet.com
127.0.0.1www.safer-networking.org
127.0.0.1www.fortiguardcenter.com
127.0.0.1www.dougknox.com
127.0.0.1www.vsantivirus.com
127.0.0.1www.firewallguide.com
127.0.0.1www.auditmypc.com
127.0.0.1www.spywaredb.com
127.0.0.1www.mxttchina.com
127.0.0.1www.ziggamza.net
127.0.0.1www.forospyware.es
127.0.0.1www.antivirus.comodo.com
127.0.0.1www.spywareterminator.com
127.0.0.1www.eradicatespyware.net
127.0.0.1www.freespywareremoval.info
127.0.0.1www.personalfirewall.comodo.com
127.0.0.1www.clamav.net
127.0.0.1www.antivirus.about.com
127.0.0.1www.pandasecurity.com
127.0.0.1www.webphand.com
127.0.0.1mx.answers.yahoo.com
127.0.0.1www.securitywonks.net
127.0.0.1www.sandboxie.com
127.0.0.1www.clamwin.com
127.0.0.1www.cwsandbox.org
127.0.0.1www.ca.com
127.0.0.1www.arswp.com
127.0.0.1es.answers.yahoo.com
127.0.0.1www.trucoswindows.es
127.0.0.1www.networkworld.com
127.0.0.1www.cddchiangmai.net
127.0.0.1www.threatexpert.com
127.0.0.1www.norman.com
127.0.0.1espanol.answers.yahoo.com
127.0.0.1www.tallemu.com
127.0.0.1virscan.org
127.0.0.1www.viruschief.com
127.0.0.1scanner.virus.org
127.0.0.1www.hijackthis.de
127.0.0.1housecall65.trendmicro.com
127.0.0.1www.guiadohardware.net
127.0.0.1hjt.networktechs.com
127.0.0.1www.techsupportforum.com
127.0.0.1www.whatthetech.com
127.0.0.1www.soccersuck.com
127.0.0.1www.pcentraide.com
127.0.0.1comunidad.wilkinsonpc.com.co
127.0.0.1forum.piriform.com
127.0.0.1www.tweaksforgeeks.com
127.0.0.1www.daniweb.com
127.0.0.1www.geekstogo.com
127.0.0.1es.answers.yahoo.com
127.0.0.1www.techsupportforum.com
127.0.0.1www.pchell.com
127.0.0.1www.spyany.com
127.0.0.1forums.techguy.org
127.0.0.1www.experts-exchange.com
127.0.0.1www.wikio.es
127.0.0.1www.pandasecurity.com
127.0.0.1forums.devshed.com
127.0.0.1forum.tweaks.com
127.0.0.1www.wilderssecurity.com
127.0.0.1www.techspot.com
127.0.0.1www.thecomputerpitstop.com
127.0.0.1es.wasalive.com
127.0.0.1secunia.com
127.0.0.1www.computing.net
127.0.0.1discussions.virtualdr.com
127.0.0.1forum.securitycadets.com
127.0.0.1www.techimo.com
127.0.0.113iii.com
127.0.0.1www.dicasweb.com.br
127.0.0.1www.infosecpodcast.com
127.0.0.1www.usbcleaner.cn
127.0.0.1www.net-security.org
127.0.0.1www.bleedingthreats.net
127.0.0.1acs.pandasoftware.com
127.0.0.1www.funkytoad.com
127.0.0.1www.360safe.cn
127.0.0.1www.360safe.com
127.0.0.1bbs.360safe.cn
127.0.0.1bbs.360safe.com
127.0.0.1codehard.wordpress.com
127.0.0.1forum.clubedohardware.com.br
127.0.0.1www.360.cn
127.0.0.1www.360.com
127.0.0.1bbs.360safe.cn
127.0.0.1bbs.360safe.com
127.0.0.1www.forospyware.es
127.0.0.1p3dev.taringa.net
127.0.0.1www.precisesecurity.com
127.0.0.1baike.360.cn
127.0.0.1baike.360.com
127.0.0.1kaba.360.cn
127.0.0.1kaba.360.com
127.0.0.1deckard.geekstogo.com
127.0.0.1www.taringa.net
127.0.0.1forums.comodo.com
127.0.0.1www.mvps.org
127.0.0.1down.360safe.cn
127.0.0.1down.360safe.com
127.0.0.1x.360safe.com
127.0.0.1dl.360safe.com
127.0.0.1ftp.drweb.com
127.0.0.1www.hotshare.net
127.0.0.1es.wasalive.com
127.0.0.1updatem.360safe.com
127.0.0.1updatem.360safe.cn
127.0.0.1update.360safe.cn
127.0.0.1update.360safe.com
127.0.0.1www.utilidades-utiles.com
127.0.0.1forum.kaspersky.com
127.0.0.1bbs.duba.net
127.0.0.1www.duba.net
127.0.0.1zhidao.baidu.com
127.0.0.1hi.baidu.com
127.0.0.1www.drweb.com.es
127.0.0.1msncleaner.softonic.com
127.0.0.1www.javacoolsoftware.com
127.0.0.1file.ikaka.com
127.0.0.1file.ikaka.cn
127.0.0.1bbs.ikaka.com
127.0.0.1zhidao.ikaka.com
127.0.0.1www.eset-la.com
127.0.0.1www.eset-la.com
127.0.0.1software-files.download.com
127.0.0.1www.ikaka.com
127.0.0.1www.ikaka.cn
127.0.0.1bbs.cfan.com.cn
127.0.0.1www.cfan.com.cn
127.0.0.1www.pandasecurity.com
127.0.0.1es.mcafee.com
127.0.0.1downloads.malwarebytes.org
127.0.0.1bbs.kafan.cn
127.0.0.1bbs.kafan.com
127.0.0.1bbs.kpfans.com
127.0.0.1bbs.taisha.org
127.0.0.1www.manuelruvalcaba.com
127.0.0.1support.f-secure.com
127.0.0.1bbs.winzheng.com
127.0.0.1alerta-antivirus.inteco.es
127.0.0.1foros.zonavirus.com
127.0.0.1alerta-antivirus.red.es
127.0.0.1www.zonavirus.com
127.0.0.1www.malwarebytes.org
127.0.0.1www.ewido.net
127.0.0.1www.infospyware.com
127.0.0.1www.bitdefender.es
127.0.0.1housecall.trendmicro.com
127.0.0.1www.emsisoft.de
127.0.0.1www.securitynewsportal.com


Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Delete the original Worm file.
  2. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
  3. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps