FRISK Software International


Summary of W32/Wollf.B
Alias:Backdoor.Wollf.16 (AVP)
Length: 55.296 bytes
Discovered: 10 Nov 2002
Definition files: 11 Nov 2002
Risk Level: Medium
Distribution:Medium
Payload: Compromises the security of the affected system, allowing a cracker from a remote location to perform any actions
 
Jump to:
Brief description
Technical description

Brief Description
The Wollf.B is a W32 type backdoor, which allows a cracker from a remote location full access to the compromised system. It installs itself as a service, along with spawning a shell on the system, allowing remote logins to port 7614 when initially run.


Technical Description
The Wollf.B is a W32 type backdoor, written in C++, its packed with the UPX executable compressor and has the size of 55.296 bytes.

When run, this backdoor copies itself under the [system_directory]\System32\wrm.exe leaving the original file behind unaltered, it then through a CreateService call, creates a new service under the name of "Wolf remote manager" although the value which Windows identifies this service is "WRM". That service is supported by the following registry keys:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WRM\0000]
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"ConfigFlags"=dword:00000000
"DeviceDesc"="Wollf Remote Manager"
"Legacy"=dword:00000001
"Service"="WRM"


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WRM\0000\Control]
"*NewlyCreated*"=dword:00000000
"ActiveService"="WRM"


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WRM]
"DisplayName"="Wollf Remote Manager"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,3A,5C,57,49,4E,4E,54,5C,53,79,73,74,65,6D,33,32,5C,77,\ 72,6D,2E,65,78,65,20,2D,73,74,61,72,74,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000120


along with affecting other relevant registry keys. If this operation is successful the initial backdoor issues a StartService call for the newly created service and if successful, terminates itself leaving the [system_directory]\System32\wrm.exe running as a service on the compromised system with the priviledges as such.

On the initial start, the WRM service spawns a custom shell, opening a TCP socket listening on port 7614.
This shell initially supports mixtures of the commonly found commands available to the Unix shell (SH) along with the corresponding alias for the same commands found in Windows command-line interpretor, example of these commands are:
LS (DIR), MKDIR (MD), RM (DEL), CAT (TYPE). This shell also offers the option of switching into a standard MS-DOS prompt and vice-versa.

The advanced options of this backdoor include sending standard popup messages to the compromised system, retreiving the system information, remote command/file execution, killing running processes, opening a FTP/Telnet server, TCP traffic redirection between ports a often used technique to bypass packet-filtering firewalls, keylogging ability along with an option to put the network card of the compromised system into promiscuous mode and performing a tailor-made sniffing of common protocol packages for passwords (FTP/SMTP/POP3/HTTP), although this function won't always work due to the design of this backdoor.

When deployed originally the backdoor has no login authentication mechanism, leaving the compromised system vulnerable to any connection arriving at its location. The traffic between the cracker and this backdoor is a standard TCP traffic and is not encrypted.


Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is