Blazebot_4bda0392ef

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
IRCBot	A bot can communicate with command and control servers via IRC channel.
MSNWorm	A worm can spread its copies through the MSN Messanger.
Trojan-Proxy	This program can launch a proxy server (SOCKS4) on a designated TCP port.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:208
%original file name%.exe:160

The Trojan injects its code into the following process(es):No processes have been created.

File activity

The process %original file name%.exe:208 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\csrss.exe (744752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process %original file name%.exe:160 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (68608 bytes)
%Documents and Settings%\%current user%\B79C30.UN8 (67072 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\B79C30.UN8 (0 bytes)

Registry activity

The process %original file name%.exe:208 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 A5 3B 1B 0C 8A 0A D8 54 84 0B DF F5 25 C7 33"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Remote Registry Service" = "csrss.exe"

The process %original file name%.exe:160 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF F4 84 D4 B1 CC 95 32 A5 DE AD BB 35 4B 8A 71"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

Network activity (URLs)

URL	IP
hxxp://www.whatismyip.com/	190.93.248.117
hxxp://checkip.dyndns.com/
vids.p0rn-lover.us	82.145.57.211
checkip.dyndns.org	216.146.39.70

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CNC Shadowserver Reported CnC Server IP group 41 ET CNC Shadowserver Reported CnC Server IP group 40 ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source) ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection ET CHAT IRC PONG response ET CHAT IRC PING command ET TROJAN IRC Potential bot update/download via ftp command ET CHAT IRC authorization message ET POLICY DynDNS CheckIp External IP Address Server Response ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.A worm can spread its copies through the MSN Messanger.

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:208
   %original file name%.exe:160

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   %WinDir%\csrss.exe (744752 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (68608 bytes)
   %Documents and Settings%\%current user%\B79C30.UN8 (67072 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Remote Registry Service" = "csrss.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 8, 1
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 3, 3, 8, 1File Description: Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	525852	526336	4.63347	61ffce4768976fa0dd2a8f6a97b1417a
.rdata	532480	57280	57344	3.32693	0354bc5f2376b5e9a4a3ba38b682dff1
.data	589824	108376	26624	1.49032	8033f5a38941b4685bc2299e78f31221
.rsrc	700416	14552	14848	2.66322	56770969e9a118872f82f3185ffb6418

Network Activity

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Map

Strings from Dumps