Worm:Win32/Boinberg (CnC Botnet)

The IP Address (IP LOCATION: Luxemburg) is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy and/or some other form of botnet. It was last detected on 19th November 2013. It has been relisted following a previous removal on 12th November.

This IP address is infected with, and/or is NATting for a machine infected with the Worm.Boinberg. This Worm:Win32/Boinberg is part of the Malware-family of IRC-controlled worms that may be ordered to spread via Windows Live Messenger (ICQ, AOL Instant Messenger, Yahoo Pager, Skype, etc.) and/or USB drives. It may also spread through USB drives, RAR and ZIP files by adding a copy of itself into the target archive. Its first detection has been made in March 2011, and the threat level almost 4 years later is classified as severe. In order to spread, IM-Worms usually send a link (URL) to a list of message contacts. The link leads to a network resource where a file containing the body of the worm has been placed. This tactic is almost exactly the same as that used by Email-Worms.

This Worms Aliases by AVVendors:
  • Malware.Shadesrat (PCTools)
  • W32.Shadesrat (Symantec)
  • Backdoor.Win32.IRCBot.abgt (Kaspersky Lab)
  • W32/IRCbot.gen.a (McAfee)
  • Mal/VBCheMan-A (Sophos)
  • Worm:Win32/Boinberg (Microsoft)
  • Worm.Win32.Boinberg (Ikarus)
And not to forget that it is packed UPX (Ultimate Packer for eXecutables)

It`s Installation:

When executed, Worm:Win32/Boinberg copies itself with a variable file name to the %APPDATA% directory, then executes this dropped copy.

The malware creates the following registry entries to ensure that its copy executes each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "%APPDATA%\<random file name>.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "%APPDATA%\<random filename>.exe"

In the background, the worm injects itself into known Windows running processes, such as 'winlogon', 'svchost' and 'Explorer'.

The following mutex indicates the presence of the worm on the affected computer:

"<random string>"
"<empty / blank>"

Spreads via...

Instant messenger

The worm may send messages to the affected user's Windows Live Messenger contacts containing a URL pointing to the worm, or an attachment containing a copy of the worm.

Removable drives

Worm:Win32/Boinberg copies itself to the following locations on removable drives:

<targeted drive>:\<malware file>.exe
<targeted drive>:\autorun.ini - detected as Worm:Win32/Boinberg

It attempts to download an updated version from a remote server and spread this latest copy via removable drive.

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system (OS), so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.

File infection 

It searches for RAR and ZIP files on the system and, if found, infects them by adding a copy of the worm into the target archive file. This may enable the worm to spread itself through file sharing or emailing.


...allows backdoor access and control

Worm:Win32/Boinberg attempts to connect to an IRC server and join a channel to receive commands.

The following is a list of servers and TCP ports that Worm:Win32/Boinberg has been observed to use in this manner:

For more details on this Worm, visit Microsoft here.
The CBL detection is being made using sinkholing techniques.

To find an infected computer on a NATted network you will have to search through your firewall logs for connections to port 4042 TCP. In additional, evidence can be found in DNS logs by searching for the domain name "", for example:

This was detected by a TCP/IP connection from on port 56501 going to IP address (the sinkhole) on port 4042.

The botnet command and control domain for this connection was "".

Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address or host name on any port with a network sniffer such as Wireshark.

Equivalently, you can examine your DNS server or proxy server logs to references to or See Advanced Techniques for more detail on how to use Wireshark & ignore the references to port 25/SMTP traffic, the identifying activity is NOT on port 25.

This detection corresponds to a connection at 2013-11-19.

These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer, so better stay Awake. ;-)

RELATED POST: Symantec: Blackshades Remote Access Tool still being bargained

Keine Kommentare:

Kommentar veröffentlichen