Win32.Canbot.A (Ca.com)

Description Published: August 29, 2004
Description Modified: August 30, 2004

Category:          Win32
Also known as: AIM-Canbot (McAfee), W32.Spybot.Worm (Symantec),
                          W32/Vb.AR (F-Secure), Win32/VB.DG (Eset),
                          Win32/VB.DG.Trojan, Trojan.Win32.VB.dg (Kaspersky)

Description

Win32.Canbot.A is a backdoor trojan that allows unauthorized access to an affected machine.

Method of Infection

Note: Canbot.A requires the presence of the file mswinsck.ocx on an affected machine in order to function. While many computers have this library by default, some will simply display an error message and the trojan will exit.

When executed, Canbot.A attempts to copy itself to %System%winupdat.exe, however, due to bugs in the code, it often fails to do this.

It then adds the following registry key so this file (if successfully created) is run every time Windows starts:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunwinupdat = ˝winupdat.exe˝

Note: ´%System%´ is a variable location. The trojan determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:WinntSystem32; for 95,98 and ME is C:WindowsSystem; and for XP is C:WindowsSystem32.

Payload

SOCKS Proxy/Backdoor Functionality

Canbot.A creates a socks5 proxy server on port 3337 on the affected machine. It modifies/adds the following registry entries so that the local AIM (AOL Instant Messenger) client is redirected via this proxy.

HKCUSoftwareAmerica OnlineAOL Instant Messenger (TM)CurrentVersionProxyProtocol = ˝SOCKS5˝
HKCUSoftwareAmerica OnlineAOL Instant Messenger (TM)CurrentVersionProxyhost = ˝localhost˝
HKCUSoftwareAmerica OnlineAOL Instant Messenger (TM)CurrentVersionProxyport
HKCUSoftwareAmerica OnlineAOL Instant Messenger (TM)CurrentVersionProxyEnabled = 1
HKCUSoftwareAmerica OnlineAOL Instant Messenger (TM)CurrentVersionServerPort = 5190
HKCUSoftwareAmerica OnlineAOL Instant Messenger (TM)CurrentVersionServerHost = ˝login.oscar.aol.com˝

The trojan´s proxy server relays the user´s legitimate Internet traffic to and from the AIM server. This appears to give the user an uninterrupted Internet connection, but still allows the trojan to achieve its purpose as a backdoor that allows unauthorized access to an affected machine.

The trojan allows the remote user to perform the following functions:

- List the affected machine´s current active ports and connections
- Terminate processes
- Retrieve file information (size, timestamp, attributes)
- Upload / download files
- Browse directories
- Clone the trojan (that is, start multiple copies on the affected machine)
- Exit the trojan
- Execute/delete files
- Open port 3338 as an HTTP server which may serve copies of the trojan (see below for further detail)
- Start a VNC server which gives the trojan´s controller a visual interface to the affected machine.

Note: This final function requires that the affected machine already contain several library files that may not be found on machines that have not previously used a VNC client or server.

Canbot can also be ordered to send messages to users on the AIM network. The second line of the message is a URL that points to a copy of the trojan on the HTTP server (mentioned above). Please see below for the list of messages the trojan uses in order to entice AIM users into clicking on the link and downloading the trojan:

Hey, this is a pic of the cam im getting!
click here

Yo!! Im gettin this camara!
piC

suP im geTten THis cAm from BestBuy
piC

loL.. Check this cam im gettin from bestbuy
Pic - Mini DV Digital

The file C:LSEDFQWE.TXT may also be created in order to store the current active ports on the user´s system (should the trojan´s controller request it).

Analysis by Paul Taylor