WootBot

Category: Trojan

Risk: Severe Risk

* Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.

Description: WootBot is a memory resident trojan propagates through network shares. Upon execution WootBot drops a copy of itself as the file WINSSV.EXE in the Windows system folder. It also takes advantage of the Windows ISS5/WEBDAV vulnerability. For more information regarding this vulnerability, please refer to the following Microsoft Web page: Microsoft Security Bulletin MS03-007 It steals the Windows product ID and the CD keys of popular PC games. It registers itself as a service by adding the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Cronation It also attempts to download a file from an FTP site in order to execute in the system. This worm steals the Windows product ID and the CD keys of the following PC games, if they are installed on the system: Battlefield 1942: Secret Weapons Of WWII Battlefield 1942: The Road To Rome Battlefield 1942: Vietnam Black and White Command and Conquer Generals Zero Hour Command and Conquer: Generals Command and Conquer: Red Alert2 Command and Conquer: Tiberian Sun Counter-Strike FIFA 2002 FIFA 2003 Freedom Force Global Operations Gunman Chronicles Half-Life Hidden and Dangerous 2 IGI2: Covert Strike Industry Giant 2 James Bond 007 Nightfire Medal of Honor Allied Assault Medal of Honor: Allied Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Nascar Racing 2002 Nascar Racing 2003 Need For Speed: Hot Pursuit 2 Need For Speed: Underground Neverwinter Nights NHL 2002 NHL 2003 Ravenshield Shogun Total War - Warlord Edition Soldier Of Fortune 2 Soldiers Of Anarchy The Gladiators Unreal Tournament 2003 Unreal Tournament 2004

Alias: WORM_WOOTBOT.CA

Signatures:
process: navsys32.exe: MD5 Hash: 3656e62d4e86c412079
process: svcshost.exe: MD5 Hash:
process: elite.exe: MD5 Hash: d38ba2320b27c781a80
process: winssv.exe: MD5 Hash:
process: lsass2.exe: MD5 Hash: 15d3bf49bf101b4f01a
process: pomedsrv.exe: MD5 Hash:
process: winapa.exe: MD5 Hash: 82b22de0c766afa5aec
process: ctfnom.exe: MD5 Hash: 14d559bffdc55ed0351
process: svcshost.exe: MD5 Hash: 98810ebe286711c0e8c
process: symantec32.exe: MD5 Hash:
process: navsys32.exe: MD5 Hash:
process: mspmspsu.exe: MD5 Hash: dcfa0329c44f44928ed
process: pomedsrv.exe: MD5 Hash: 31bc7daacc5a87c1542
process: winssv.exe: MD5 Hash: d3c162ff7844f5562bf
process: winitr32.exe: MD5 Hash: d1e424f6111183737bd
process: symantec32.exe: MD5 Hash: c2f965f4feb0c934ed1
process: syshelper.exe: MD5 Hash: cb01ec600c872bd0c57
process: mqguard.exe: MD5 Hash: ae4d33c234fb386b407
process: winssv.exe: MD5 Hash: 413d19d8c67123707b2
process: winupdx.exe: MD5 Hash: af57ea1ce17734ab087
process: hostsvc32.exe: MD5 Hash: a14672a0b401ba21d8e
process: atitax.exe: MD5 Hash: 43e9329d1840c0f67a1
process: winsnd32.exe: MD5 Hash: a07699ee7e08ab34faf
process: navwp32.exe: MD5 Hash: b68e7cd71ef6c19428c
process: ptcpk.exe: MD5 Hash: 3b9baee45cf69201c16
process: systemwin32s.exe: MD5 Hash: 5623f1b2b355e68dafc
process: lssas.exe: MD5 Hash: f97c8bd636e185275b7
process: updatemgr.exe: MD5 Hash: 0aebdb8820931c97e47
process: xpmonitor.exe: MD5 Hash: e4f685f22b8d2828570
process: servicetask.exe: MD5 Hash: 9179396a5e2e94b8385
process: systemwin32s.exe: MD5 Hash: 7cea6b3791df4c17710
process: norton32.exe: MD5 Hash: 5798c05cdf0490de18b
process: spvsper.exe: MD5 Hash: 56b47368b99a6189ff4
process: rundll.exe: MD5 Hash: 6f6f096239d4d7dfe02
process: windbg.exe: MD5 Hash: 077e7a76278307b5c17
process: videosd32.exe: MD5 Hash: bfbb3ffec801fb53da1
process: tvl.exe: MD5 Hash: 912f3144715c5a1583b
process: vuamgard.exe: MD5 Hash: 6d607a190401f5bf7cf
process: rundii.exe: MD5 Hash: bed2986fd6f5d96db4b
process: wind32z.exe: MD5 Hash: 9a0abb099e026851920
process: windowsupdate.exe: MD5 Hash: ed49ed752f254d7753a
process: sp1update.exe: MD5 Hash: 7805874963c82a20f2b
process: winxpinit.exe: MD5 Hash: 1644bb810fad0acd0dc
process: winstr32.exe: MD5 Hash: 01e1c15e11e926dadb2
process: msnmsgr.exe: MD5 Hash: 0a65e4d6793a678497f
process: serviced.exe: MD5 Hash: a268737369035589db7
process: avscan.exe: MD5 Hash: 6e50996d0e844a1e80d
process: php.exe: MD5 Hash: dd3b9978c6f9ddebca5
process: winssl.exe: MD5 Hash: d98245b7a646b4e0499
process: msgplus.exe: MD5 Hash: fc5401ebe6854912617
process: iexplore.exe: MD5 Hash: 9b7d66fcaa9f2a0d8f8
process: serves32.exe: MD5 Hash: ddbe1f80f67530a9377
process: msrepair.exe: MD5 Hash: 85fe5355206ae1899c8
process: msconfig.exe: MD5 Hash: 7a5156d1c45190c3e4a
process: swwhost.exe: MD5 Hash: 16f0819f52946dcdeb3
process: cygcfg32.exe: MD5 Hash: efe2014c2a5e8c1e94e
process: msconfig.exe: MD5 Hash: b445ba6000c3da8cb2b
process: ford3h.exe: MD5 Hash: 0041c132bc3ff6b2bee
process: logwin.exe: MD5 Hash: 48daf002569c53157d5
process: lsass64bit.exe: MD5 Hash: c5f8ee38f6b6ea7eccb
process: cthelper32.exe: MD5 Hash: b44ffdeda06dacd6bce
process: crss.exe: MD5 Hash: f3bf9bcc1c7b3b39cc0
process: iexplore.exe: MD5 Hash: ed337a6f1aafd6857b9
process: task.exe: MD5 Hash: 1eeb04248f081d4075f
process: avhost.exe: MD5 Hash: 8e3aab6f9d54d9f3f3e
process: msnms.exe: MD5 Hash: cb949153eec15ae7a1f
process: hp_deskjet_500.exe: MD5 Hash: 96b7e20a00a564bf4d1
process: msnms.exe: MD5 Hash: 95a05262898b48f2a26
process: rundli32.exe: MD5 Hash: 4a027d07de1bb287f2a
process: lmas.exe: MD5 Hash: cf1b40873d260b904b1
process: mpsvc.exe: MD5 Hash: f94375a9f1dac51418b
process: nvsv32.exe: MD5 Hash: 5d61574c914e9c8ca85
process: msnplus.exe: MD5 Hash: ffe942c4d6363af6e54
process: smssystem32.exe: MD5 Hash: bc667a8b3ace35b8c6a
process: winhost.exe: MD5 Hash: d409ca75d4d1b993a7c
process: fowilco.exe: MD5 Hash: 3a1d473fe1c28fe88e7
process: w32uptime.exe: MD5 Hash: 87652c863a7a1e1d81e
process: officexp.exe: MD5 Hash: 657c94d78fd454557f1
process: ntosrkl.exe: MD5 Hash: d222ccfc1e206dc5d28
process: msn.exe: MD5 Hash: d40d0aa6d9eefa774be
process: win32resc.exe: MD5 Hash: d9fc256b470366396c3
process: win32resc.exe: MD5 Hash: bf3d66782a29cfd6b11
process: spoolsrv.exe: MD5 Hash: bf67ac180f13ddee3be
process: lass32.exe: MD5 Hash: a03b9ee397cf3ddfb25
process: svch0st.exe: MD5 Hash: 5d675bd7d0c6b7bb7a3
process: netz.exe: MD5 Hash: 1b7b313866152c656e4
process: wmedia.exe: MD5 Hash: ebe769910b62f584a35
process: sayanx.exe: MD5 Hash: 922152025f8014afbd3
process: msn.exe: MD5 Hash: 3d666bc2ebde1acbf52
process: winr35.exe: MD5 Hash: eb49e95af8cc61ea564
process: sysdat2.exe: MD5 Hash: 13913f00c4e95093ad3
process: win32tool.exe: MD5 Hash: 2e07b260a1e04d87694
process: win32edit.exe: MD5 Hash: 54d1fcf18173fde1e8e
process: servicetask.exe: MD5 Hash: ad299096152de38b169
process: winfax32.exe: MD5 Hash: d2607d8e0ac86baa0df
process: good.exe: MD5 Hash: 1df938b6db7343c702c
process: wmedia.exe: MD5 Hash: 665ff1a92b83c9d08df
process: nets.exe: MD5 Hash: e8acaac530a1d8d10ca
process: win9x.exe: MD5 Hash: b11e71cc0af4e7cd684
process: scvvhost.exe: MD5 Hash: 4c58ecfc6f9208cc661
process: emp32.exe: MD5 Hash: 55766a497bc1ee28e7e
process: servicetask.exe: MD5 Hash: bdc76cfac1ec5c26b9b
process: guardpc.exe: MD5 Hash: edb56778ffda3e6fdf7
process: scvhostingg.exe: MD5 Hash: 106cd5761ae0f73948d
process: popupkill.exe: MD5 Hash: 1086c325a4458f4d0dd
process: scvhostingg.exe: MD5 Hash: 36065d17a62f362a139
process: servicetask.exe: MD5 Hash: 4a3e0402251b464c9cf
process: sys32.exe: MD5 Hash: d5809e51f01a8411963
process: servicetask.exe: MD5 Hash: e3a80bd2fd04ed91e02
process: serves32.exe: MD5 Hash: 15308c29239b1d08fe7
process: winsnd32.exe: MD5 Hash: 1befe4af2be650d37d6
process: mspci.exe: MD5 Hash: 7fc3f560f548175c520
process: winxsaver.exe: MD5 Hash: 7339013ea09c24650b5
process: iexplore.exe: MD5 Hash: 60a8e89e0a5005b5e85
process: sndmon16.exe: MD5 Hash: 7dad8c2355b08e62d6a
process: msiexec32.exe: MD5 Hash: 0ba55f7b7f26b300faa
process: winsql32.exe: MD5 Hash: c016f275a06f64123c1
process: msnwin.exe: MD5 Hash: d924f1cdf2de211ba5d
process: sndmon16.exe: MD5 Hash: 304cbc024919b30968b
process: win9x.exe: MD5 Hash: e9fbd9ce1f1ccb2a59a
process: msngrrr.exe: MD5 Hash: 2a88c27cc13424ccd1e
process: nvap32sys.exe: MD5 Hash: 3b45abb0b89bb759ebc
process: msvc32.exe: MD5 Hash: 6b6c59aa48a69e16d33
process: win9x.exe: MD5 Hash: 2ca600d76903045956d
process: svzhost.exe: MD5 Hash: 270d3145cbb165a3ea6
process: systemwin32s.exe: MD5 Hash: f26ff5c1bfdb2ca728d
process: systemsms.exe: MD5 Hash: 37be6d62b291f476fcd
process: msprc.exe: MD5 Hash: d81dd8f1522475d344d
process: scvhostingg.exe: MD5 Hash: ca9c2e83bacaaf168a5
process: msnmsgr.exe: MD5 Hash: 0f9c94009e0e2ae1ea4
process: msconfig.exe: MD5 Hash: 77ffc7b84cb901588e9
process: wintasx.exe: MD5 Hash: a743bafa022132cac7f
process: doit.exe: MD5 Hash: b0ff1f469a0ad8d6905
process: cygwin.exe: MD5 Hash: 2b172f2d8d5248e7bf5
process: ntfs64.exe: MD5 Hash: b185db840d54956734d
process: nvsv33.exe: MD5 Hash: 8f6fd91cd61894bc2d3
process: servenxpp.exe: MD5 Hash: bcf29eff98d177d5912
process: scvhost.exe: MD5 Hash: 36dbbf6aa9b952063d3
process: winsysxt.exe: MD5 Hash: 79f5e00ab982afcbe12
process: sayanx.exe: MD5 Hash: 71cdae120a398eb6e2a
process: tellcom.exe: MD5 Hash: 69c713a6cc5196cc932
process: iexpllorer.exe: MD5 Hash: e8a117b63b40967e2b1
process: lovely.exe: MD5 Hash: e3ba4f1e8c1965e4c6b
process: winv.exe: MD5 Hash: 7ebaf7935e8986394ab
process: wuampdr.exe: MD5 Hash: df921f0433590d7a963..