Momibot Worm - Spreading in the Wild

March 18, 2011

SonicWALL UTM Research team received reports of a new variant of Momibot worm propagating in the wild. This worm propagates through emails, network and removable drives.

Process of Infection:

An unsuspecting user may receive an email with the malware attachment.

From: {user}
Subject: nake pics as you've requested
Attachment: picofme.zip (59.3KB)

    screenshot

Installation:

Once the user opens and executes the attachment, it will do the following:

Drops a copy of itself:

  • %System%{random filename in %System%}{random letter}.exe - [ detected as GAV: Momibot.B_4 (Trojan) ]
  • %System%{random filename}.dat - [ Data File ]

Registry Changes

Adds the following AutoStart registry entries to ensure that the malware runs on every system startup.

  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
    Value: Win32Update
    Data: "C:WINDOWSSystem32{random filename in %System%}{random letter}.exe"
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
    Value: Win32Update
    Data: "C:WINDOWSSystem32{random filename in %System%}{random letter}.exe"
  • HKEY_LOCAL_MACHINESoftwareMicrosoftOLE
    Value: Win32Update
    Data: "C:WINDOWSSystem32{random filename in %System%}{random letter}.exe"
  • HKEY_LOCAL_MACHINESystemCurrentControlsetControlLsa
    Value: Win32Update
    Data: "C:WINDOWSSystem32{random filename in %System%}{random letter}.exe"

Adds the following registry entries to install the malware as a Service. Service name was derived from appending two existing services already installed in the system.

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTermServiceRSVP
    Value: ImagePath
    Data: "C:WINDOWSSystem32{random filename in %System%}{random letter}.exe"

Mutex

Creates this mutex to ensure only a single instance is running in the memory.

  • 9LZZ1TXjZ5NHrnf71f

Command & Control (C&C) Server connection:

Upon successful installation, it tries to connect to a remote server to receive further instruction:

  • http://9{REMOVED}5.174

This worm will also join the following IRC Channel to receive instruction:

  • Port: 6667
  • IRC Channel: #AllNiteCafe

Backdoor Functionality:

  • Update itself
  • Remove itself
  • Download and execute files
  • Gather system information

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: Momibot.B_4 (Trojan)