KWbot, also known as K0wbot or Tanked is a peer-to-peer worm using KaZaA shares to spread. The worm disguises itself as popular media, games or legitimate software commonly shared on KaZaA. It opens backdoors that listen for commands from a remote actor. It is also capable of updating itself by cheking the Internet for newer versions of itself.

Behavior

When Kwbot is executed, it copies itself to the Windows System folder as Explorer32 .exe. It adds the value "Windows Explorer Update Build 1142 = C:\Windows\System\Explorer32 .exe" to the registry keys HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices to ensure it runs when the system starts.

The worm then selects a random TCP port and listens for commands from a an attacker. It has a built-in IRC client that connects to a server specified in its code and notifies the attacker that there is a newly infected machine. It allows the execution of commands using a previously selected authorization key. Available actions include:

• Installation of a backdoor
• Control of the IRC Client
• Updating the trojan
• Infect other systems through IRC
• Download and run any files
• Send information about the infected system to the attacker
• Perform a Denial of Service
• Uninstall itself from the infected system.

Kwbot checks the registry for the location of the KaZaa share folder and then copies itself to that folder. Possible file names include:

• Star Wars Episode 2 - Attack of the Clones VCD CD2.exe
• Spiderman SVCD CD3.exe
• Sum of all Fears SVCD CD3.exe
• Grand Theft Auto 3 CD2 ISO.exe
• Playstation 2 PS2 Emulator.exe
• Windows XP Home to Professional Upgrade.exe
• Windows XP backdoor hack.exe
• Windows 2000 win2k password stealer.exe
• Microsoft Office XP Upgrade (from older versions).exe
• Macromedia Flash 5 Ultimate Study Guide.exe
• Norton Internet Security 2002.exe
• ZoneAlarm Firewall Pro.exe

Variants

Variants of Kwbot go up to at least Kwbot.K and are mostly pretty similar to each other. Some vendors claim that variants go up tto Kwbot.AR.

Kwbot.C

Kwbot.C uses iMesh in addition to KaZaA to spread. In addition to the registry keys used by the original, it creates HKEY_Local_Machine\Software\krypton. It also creates a folder named UserTemp in the Windows directory, where it copies itself 100 times. The files will have the hidden attribute set and a file name to impersonate a popular game or other software. The actual size of the file is 553,600 bytes, but each file will report a size similar to the software it is impersonating.

It adds the values "DisableSharing = 0", "dir0 = 012345:C:\Windows\UserTemp" and "dir1 = 012345:C:\Windows\UserTemp" to the registry keys "HKEY_Current_User\Software\Kazaa\LocalContent" and "HKEY_Current_User\Software\iMesh\Client\LocalContent". This causes users to download files containing KaZaa and iMesh from the "\Windows\UserTemp" folder.

Effects and Origin

There are very few clues as to where the worm comes from. It appears to have been written in C. KaZaA is almost exclisively installed on personal systems, so infections at major corporations or government offices seem to be non-existent.

Sources

VSAntivirus, Se propaga a través del KaZaa. 20-JUN-2002

-, W32/Kwbot.C. Gusano y troyano, usa KaZaa e iMesh. 28-JUN-2002

Rita J. Will. Global Information Assurance Certification Paper, KaZaA Media Desktop Virus: W32/kwbot. 02-OCT-2002

Yana Liu. Symantec Security Response, W32.Kwbot.Worm. 19-JUN-2002

Trend Micro, WORM_KWBOT.AR.. 20-OCT-2013