Home / malware

PDF

Worm:Win32/Slenping.V

First posted on 07 February 2020.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Slenping.V.

Explanation :

Worm:Win32/Slenping is a worm that can spread via MSN Messenger. The worm also contains backdoor functionality that allows unauthorized access to an affected machine. Installation When executed, Worm:Win32/Slenping copies itself to the and the current user's "user profile" directory (e.g. c:documents and settings) with randomly generated filenames. It sets the "hidden" attribute for the copy in the "user profile" directory. Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32.  It modifies the registry to run both copies of the worm at each Windows start. For example, it may copy itself to cviouet.exe and oal.exe and make the following modifications to the registry:
 
Adds value: "cviouet"
With data: "cviouet.exe j"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Set "Userinit" = "userinit.exe,c:documents and settingsadministratoroal.exe o", under key HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon  Adds data: ",oal.exe o"
To value: "Userinit"
In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon After installing, the worm executes the copy of itself in the with the paramater "" and attempts to delete the original copy by creating and running a batch file in the temp folder called removeMe.bat, where is a randomly generated 4 digit number. This batch file continually tries to delete the original worm file, pausing between each attempt by running the command "ping 0.0.0.0>nul". Spreads Via… MSN Messenger
This worm can be ordered to spread via Messenger by a remote attacker using the worm's backdoor functionality (see Payload below for additional detail). When the attacker orders the worm to spread via MSN Messenger, they also provide the content of the messages to be sent. We have observed the worm being spread with file names like "photo1226.jpeg-www.myspace.com" in ZIP archives called "photo.zip". Payload Backdoor Functionality
Slenping connects to a remote system at IP address 78.109.16.250, from which it accepts backdoor commands. These include the ability to launch spreading via MSN Messenger and to download and execute arbitrary files. Additional InformationWin32/Slenping creates a mutex to ensure only one copy runs at a time. For example, Win32/Slenping.A creates a mutex called "_MSBLMutex_". Win32/Slenping is capable of hiding itself so its process is not visible from task manager.
Analysis by Hamish O'Dea

Last update 07 February 2020

 

TOP