Lately, TrendLabs has been receiving numerous reports of WORM_MEDBOT.AI infections – so TMIRT and our malware Escalation Team went on to investigate, this is what we’ve found…
To know more about WORM_MEDBOT.AI than what is already posted at our Virus Encyclopedia, we sniffed through WORM_MEDBOT.AI traffic and found out it connects to the IRC server reg.raxoper.com with the user nick jebr-1_(four digit random number)_(four digit random number).
Once a private session is established, the controller may issue several commands programmed into MEDBOT. For the session we monitored, the controller issued a download and execute command for four files (modul32e.m.exe, injs.n.exe, hdd.h.exe and ssd32.j.exe) located in http://up.medbod.com/up. On initial analysis, these files seems to be Trojan downloaders. The four files are already submitted to the service team for detection.
Most notable of the four downloaded files is modul32e.m.exe which accepts a URL as a parameter. Downloading the file from the URL parameter reveals that the file also contains a lot of URL links to other files. A brief summary of the file lists include – a s3.2.txt file from the seeky.mootseek.com domain; a domain.cab file; fname.cab; lname.cab; pattern.txt from the up.medbod.com domain; and a lot of other files from the seek(1-2 digit number).mootseek.com domain.
Surprisingly, the s3.2.txt file contains an e-mail template that resembles SPAM. The domain.cab, fname.cab and lname.cab contains the arhived files domain, fname and lname respectively. The domain file contains a list of various domains, fname contains a list of common first names, while lname contains a list of last names. The file pattern.txt on the other hand contains phrases that can be used as e-mail subjects.
The various files from the seek(1-2 digit number).mootseek.com domain are text files containing lists of generated e-mail addresses not covered by the combinations of strings found in fname/lname@domain.
It is worthy to note that all these files are constantly updated. The s3.2.txt file that serves as an e-mail template was updated twice during our session, with each template changing the URL link being advertised on the template spam mail. The same goes for the numerous files from the seek(1-2 digit number).mootseek.com domain. The only files that remained constant are the domain, fname and lname files.
Summing up all these files reveals the real intention of WORM_MEDBOT, that is, to turn infected computers into SPAM machines. The MEDBOT infection is a case of an elaborate and collaborative effort of a malware writer(s) attempt for profit. The use of multiple component files and the collaboration with at least 3 domains all points out that there is an organized group behind all of this, and for them to set-up such a complicated system – the returns must be really, really good…