Summary of W32/Wollf.B
||10 Nov 2002
||11 Nov 2002
||Compromises the security of the affected system, allowing a cracker from a remote location to perform any actions
|The Wollf.B is a W32 type backdoor, which allows a cracker from a remote location full access to the compromised system. It installs itself as a service, along with spawning a shell on the system, allowing remote logins to port 7614 when initially run.|
|The Wollf.B is a W32 type backdoor, written in C++, its packed with the UPX executable compressor and has the size of 55.296 bytes.|
When run, this backdoor copies itself under the [system_directory]\System32\wrm.exe leaving the original file behind unaltered, it then through a CreateService call, creates a new service under the name of "Wolf remote manager" although the value which Windows identifies this service is "WRM". That service is supported by the following registry keys:
"DeviceDesc"="Wollf Remote Manager"
"DisplayName"="Wollf Remote Manager"
along with affecting other relevant registry keys. If this operation is successful the initial backdoor issues a StartService call for the newly created service and if successful, terminates itself leaving the [system_directory]\System32\wrm.exe running as a service on the compromised system with the priviledges as such.
On the initial start, the WRM service spawns a custom shell, opening a TCP socket listening on port 7614.
This shell initially supports mixtures of the commonly found commands available to the Unix shell (SH) along with the corresponding alias for the same commands found in Windows command-line interpretor, example of these commands are:
LS (DIR), MKDIR (MD), RM (DEL), CAT (TYPE). This shell also offers the option of switching into a standard MS-DOS prompt and vice-versa.
The advanced options of this backdoor include sending standard popup messages to the compromised system, retreiving the system information, remote command/file execution, killing running processes, opening a FTP/Telnet server, TCP traffic redirection between ports a often used technique to bypass packet-filtering firewalls, keylogging ability along with an option to put the network card of the compromised system into promiscuous mode and performing a tailor-made sniffing of common protocol packages for passwords (FTP/SMTP/POP3/HTTP), although this function won't always work due to the design of this backdoor.
When deployed originally the backdoor has no login authentication mechanism, leaving the compromised system vulnerable to any connection arriving at its location. The traffic between the cracker and this backdoor is a standard TCP traffic and is not encrypted.
Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International