I-Worm Baba Analysis

• URL: http://www.secureworks.com/research/threats/baba
• Date: October 22, 2004
• Author: Joe Stewart

A new multi-stage mass-mailer worm has been discovered in the wild, with two variants so far released within hours of each other. Some anti-virus companies have labeled this worm as a Netsky variant (Netsky.AH and Netsky.AI), but SecureWorks' initial analysis finds very little similarity between this worm and any Netsky variant except for the use of the filename "csrss".exe which was also used in Netsky.AB. Netsky's general email message format may have been copied to some extent, however. We are using the name "I-Worm.Baba" given to the worm by Kaspersky Labs as it is probably the most accurate.

When run, Baba performs 7 basic steps, saving state information each time to the file C:\csrss.bin. The state information consists of 4 comma-separated fields. The first field is an indicator of how many hosts this particular executable has traversed. When a host is infected, it increments a 32-bit integer at the end of the files it sends back out. Since the count is variable, it is indicated with an "x" in the information below.

The steps the virus component performs are:

• The program opens its executable file and reads the complete file into memory. After this step the state information is x,1,0,0
• It extracts and executes C:\csrss.exe from the body of the executable by searching for the marker "SoonChunHyangBucheon" in the file. The bytes immediately following until the end of the file decrypted through a simple XOR, saved to disk and executed. On the first run, the trojan component writes an entry to the registry to ensure it runs on the next boot. After writing this key, the trojan component then exits. After this step the state information is x,2,0,-1
• The mutex "0x452A561C" is created. If the mutex already exists (indicating another instance of the program is running) the program exits. Additionally the system date is checked. If the date is less than 2004-10-20 or greater than 2004-10-25 (in the variant labeled I-Worm.Baba.b by Kaspersky Labs) the program will exit. If this step completes without exiting, the program sleeps for 60 seconds, then updates the state information to x,3,0,0
• The program attempts to determine the best address to use as the local IP. After this step the state information is x,4,0,0
• The machine requests the MX record for hotmail.com from the configured DNS server, then attempts to connect to the returned IP address on port 25, in order to determine if the local machine can send email directly to MX servers. If this check fails after 5 minutes of repeated attempts, the program exits. If it does not fail, the state information is set to x,5,0,0
• The program searches the filesystem for files of type dbx,wab,mbx,eml,mdb,tbb,inbox,dat or any files in folder named "mail" or "imapmail". After this step the state information is x,6,(number of email addresses found),0
• The program begins to send infected emails to every address found; exiting when finished. Since there is no registry key written by the virus, it will not return on reboot and will cease to spread. However, the dropped trojan will begin to run after the machine is rebooted.

The csrss.exe file is a downloader trojan. Strings found inside the binary hint at it being a proxy server or a keystroke logger, but this is not the case. The csrss.exe file attempts to contact an embedded list of servers in order to download a second stage which is unknown at the time of this writing.

The trojan component performs the following steps:

• The program creates a mutex "BABA_FEDCBA9876543210_BABA". If the mutex already exists (indicating another instance of the program is running) the program exits.
• The program checks for the existence of the registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Key Logger". If the key does not exist, it is created, then the program exits, waiting to run on the next boot.
• Version information is collected for later reporting.
]
• A list of command-and-control IP addresses is copied into a table in memory one at a time.
• The program loops and attempts to contact an IP address from the list at random using HTTP. The TCP port number for communication is calculated dynamically, taking the sum of the first two octets of the IP address plus 28000. This may appear from a network standpoint like syn packets to random IP addresses on ports 28032-28445 but it is actually a set list of IP addresses and ports. Most of the IP addresses are probably decoys, and none of the machines were listening on the given port at the time of this writing.
• If communication with the control server is established, a file may be sent and executed, along with other information, such as additional control servers. The state information from the virus component stored in C:\csrss.bin is also uploaded to the control server, along with the system version information obtained earlier embedded in the user-agent string.

The complete control server list (with port numbers calculated) is:

12.215.69.125:28227
138.130.240.127:28268
144.136.96.236:28280
148.227.238.40:28375
154.5.135.27:28159
172.144.63.147:28316
172.178.127.112:28350
172.182.112.253:28354
172.184.79.162:28356
172.185.146.161:28357
172.185.175.204:28357
172.185.178.77:28357
172.185.244.152:28357
172.188.91.63:28360
172.189.194.13:28361
172.190.224.231:28362
172.190.61.226:28362
194.165.120.171:28359
194.249.32.223:28443
195.56.230.149:28251
195.56.93.238:28251
200.109.66.239:28309
200.121.187.158:28321
200.121.193.151:28321
200.140.200.187:28340
200.176.192.91:28376
200.217.20.87:28417
200.221.130.163:28421
200.66.29.161:28266
200.93.105.148:28293
200.95.54.69:28295
200.96.120.187:28296
201.1.133.224:28202
201.13.20.157:28214
201.8.78.74:28209
202.128.35.105:28330
202.8.213.105:28210
205.250.239.170:28455
210.192.221.250:28402
210.194.53.247:28404
210.206.52.240:28416
210.223.34.177:28433
211.106.128.224:28317
211.112.77.44:28323
211.113.215.42:28324
211.14.241.25:28225
211.147.247.58:28358
211.177.231.10:28388
211.179.172.200:28390
211.209.2.64:28420
211.224.154.42:28435
211.229.30.13:28440
211.31.8.46:28242
212.14.58.83:28226
212.186.150.15:28398
213.103.90.190:28316
213.113.98.183:28326
213.224.90.221:28437
213.238.102.101:28451
213.37.101.133:28250
213.67.220.201:28280
216.68.185.32:28284
217.132.14.66:28349
217.136.16.15:28353
217.43.235.150:28260
218.10.27.27:28228
218.111.7.132:28329
218.117.36.92:28335
218.117.50.22:28335
218.155.76.223:28373
218.158.82.207:28376
218.163.6.149:28381
218.169.140.227:28387
218.169.4.29:28387
218.175.220.171:28393
218.175.224.115:28393
218.2.13.230:28220
218.220.239.91:28438
218.232.59.93:28450
218.57.102.217:28275
218.61.143.56:28279
218.90.15.223:28308
219.113.121.169:28332
219.149.171.93:28368
219.95.237.143:28314
220.117.41.154:28337
220.121.41.143:28341
220.122.58.222:28342
220.124.121.197:28344
220.131.18.58:28351
220.131.26.250:28351
220.44.72.198:28264
220.70.191.123:28290
220.70.191.64:28290
221.0.27.109:28221
221.139.201.43:28360
221.141.201.189:28362
221.185.7.84:28406
221.209.142.161:28430
222.100.30.30:28322
222.233.89.149:28455
222.90.59.120:28312
24.112.108.39:28136
24.154.9.160:28178
24.175.212.224:28199
24.224.162.249:28248
24.24.204.18:28048
24.25.56.15:28049
24.26.108.229:28050
24.44.81.16:28068
24.55.205.210:28079
24.60.169.41:28084
24.65.222.138:28089
24.79.173.24:28103
24.95.63.52:28119
4.28.67.254:28032
4.61.232.29:28065
60.17.128.53:28077
61.100.218.146:28161
61.120.251.220:28181
61.172.210.134:28233
61.186.117.94:28247
61.192.30.31:28253
61.229.108.206:28290
61.231.159.163:28292
61.251.246.172:28312
61.42.86.222:28103
61.70.242.152:28131
61.79.129.88:28140
61.79.173.147:28140
61.84.0.220:28145
62.141.198.126:28203
62.47.170.169:28109
62.47.170.75:28109
62.47.242.190:28109
62.47.6.91:28109
62.65.193.214:28127
62.65.193.64:28127
62.65.219.102:28127
62.65.220.97:28127
62.84.26.216:28146
64.178.239.119:28242
64.203.233.64:28267
64.25.173.191:28089
65.27.185.183:28092
65.64.138.28:28129
65.92.214.235:28157
65.94.57.33:28159
66.124.111.202:28190
66.131.216.3:28197
66.137.211.194:28203
66.69.86.200:28135
67.172.29.110:28239
68.104.214.76:28172
68.113.120.157:28181
68.230.198.244:28298
68.236.143.14:28304
68.236.151.237:28304
68.255.166.146:28323
68.44.170.43:28112
68.9.140.251:28077
69.136.82.121:28205
69.156.11.143:28225
69.156.14.115:28225
69.22.95.159:28091
69.29.57.2:28098
70.48.26.253:28118
70.66.159.244:28136
80.108.9.244:28188
80.109.146.33:28189
80.199.149.6:28279
80.2.165.49:28082
80.200.193.196:28280
80.56.59.99:28136
80.57.32.29:28137
80.60.102.102:28140
80.60.103.209:28140
81.152.141.55:28233
81.190.254.231:28271
81.193.69.211:28274
81.217.48.36:28298
81.240.87.20:28321
81.241.14.150:28322
81.244.151.185:28325
81.68.144.140:28149
82.126.2.245:28208
82.131.138.178:28213
82.139.142.176:28221
82.154.213.237:28236
82.154.215.219:28236
82.182.82.214:28264
82.48.244.175:28130
82.48.32.11:28130
82.49.75.137:28131
82.75.226.227:28157
82.81.15.130:28163
82.81.218.139:28163
82.84.161.198:28166
83.144.94.85:28227
83.177.132.191:28260
83.24.64.41:28107
83.27.34.34:28110
83.28.20.64:28111
83.30.6.51:28113
83.31.139.78:28114
83.31.151.245:28114
84.119.197.67:28203
84.119.52.7:28203
84.121.232.75:28205

Manual Removal

Rebooting will stop the virus component from returning. To remove the trojan component, use the Task Manager to stop the process associated with C:\csrss.exe and remove the registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Key Logger", then delete C:\csrss.exe and C:\csrss.bin.