Virusbuster
virus
Virus types
Virus encyclopedia
Hoaxes
How to realize an effective virus protection?
Virus toplist
Send virus samples
site search

database update
Our most recent downloadable database:
version:
10.94.1

date:
21. november 2008
Home ViruslabVirus encyclopedia
Backdoor.Wootbot.YB
 Printer friendly version
length: 77,975 byte
date: 2008 july


Further information

FURTHER ALIASES:

AntiVir 7.8.1.23 2008.09.01 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.09.01 W32/Backdoor2.AOPC
Avast 4.8.1195.0 2008.09.01 Win32:Wootbot-GU
AVG 8.0.0.161 2008.09.01 BackDoor.Wootbot.ATN
BitDefender 7.2 2008.09.01 Backdoor.Sdbot.DFQI
CAT-QuickHeal 9.50 2008.08.29 Backdoor.Wootbot.ff
ClamAV 0.93.1 2008.09.01 -
DrWeb 4.44.0.09170 2008.09.01 BackDoor.IRC.Woopbot.17
eSafe 7.0.17.0 2008.08.31 Win32.Wootbot.ff
eTrust-Vet 31.6.6062 2008.09.01 -
Ewido 4.0 2008.09.01 -
F-Prot 4.4.4.56 2008.09.01 W32/Backdoor2.AOPC
F-Secure 7.60.13501.0 2008.09.01 Backdoor.Win32.Wootbot.ff
Fortinet 3.14.0.0 2008.09.01 W32/WootBot.FF!tr.bdr
GData 19 2008.09.01 Backdoor.Win32.Wootbot.ff
Ikarus T3.1.1.34.0 2008.09.01 Generic.Sdbot
K7AntiVirus 7.10.435 2008.09.01 Backdoor.Win32.Wootbot.ff
Kaspersky 7.0.0.125 2008.09.01 Backdoor.Win32.Wootbot.ff
McAfee 5373 2008.08.29 Generic BackDoor
Microsoft 1.3807 2008.08.25 Worm:Win32/Wootbot.DO
NOD32v2 3404 2008.09.01 probably a variant of Win32/IRCBot
Norman 5.80.02 2008.09.01 W32/SDBot.BMFY
Panda 9.0.0.4 2008.08.31 Bck/Gaobot.QHE
PCTools 4.4.2.0 2008.09.01 Backdoor.Wootbot.YB
Prevx1 V2 2008.09.01 System Back Door
Rising 20.60.01.00 2008.09.01 Backdoor.Win32.Agent.zsw
Sophos 4.33.0 2008.09.01 Mal/EncPk-DM
Sunbelt 3.1.1592.1 2008.08.30 Trojan.Crypt.XPACK.Gen
Symantec 10 2008.09.01 W32.Spybot.Worm
TheHacker 6.3.0.8.069 2008.09.01 Backdoor/Wootbot.ff
TrendMicro 8.700.0.1004 2008.09.01 BKDR_WOOTBOT.BV
VBA32 3.12.8.4 2008.08.31 Backdoor.Win32.Wootbot.fj
ViRobot 2008.9.1.1359 2008.09.01 Backdoor.Win32.Wootbot.78336
VirusBuster 4.5.11.0 2008.09.01 Backdoor.Wootbot.YB
Webwasher-Gateway 6.6.2 2008.09.01 Trojan.Crypt.XPACK.Gen


BEHAVIOR:

- Copies itself to the %System% folder as FIXWEB.EXE.
- Creates the following Registry Entries in order to execute itself upon startup:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Windows has Layer = fixweb.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, Windows has Layer = fixweb.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Windows has Layer = fixweb.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, Windows has Layer = fixweb.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices, Windows has Layer = fixweb.exe
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run, Windows has Layer = fixweb.exe
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce, Windows has Layer = fixweb.exe
- Creates the following Registry Key to register the malware as a Windows Service:
HKLM\SYSTEM\CurrentControlSet\Services\ffor.mylifez.net
- Notifies a remote malicious user by connecting to the following host: iams.wearabz.net.

- Opens a random port and waits for commands coming from a remote malicious user.


Once connected, a remote malicious user may perform the following commands on the infected machine:
1. Obtain system information such as CPU, Memory, Operating system and curretly loggged on user
2. Upload, download and execute files
3. List and terminate processes.
4. Create and delete registry entries and Windows services.
5. Logoff and reboot system
6. Perform a denial of service attack on a targetted hostname
7. Spread via shared network drives
8. Act as proxy
9. Steal the following information:
- Yahoo userid
- AIM Screen Name
- MSN Email contacts
- Email addresses from the Windows Addressbook
- Windows Product ID
10. Steal serial numbers for the following games:
- Battlefield 1942
- Battlefield 1942: Secret Weapons Of WWII
- Battlefield 1942: The Road To Rome
- Battlefield 1942: Vietnam
- Black and White
- Call of Duty
- Command and Conquer: Generals
- Command and Conquer: Generals: Zero Hour
- Command and Conquer: Red Alert2
- Command and Conquer: Tiberian Sun
- Counter-Strike
- FIFA 2002
- FIFA 2003
- Freedom Force
- Global Operations
- Gunman Chronicles
- Half-Life
- Hidden and Dangerous 2
- Industry Giant 2
- James Bond 007: Nightfire
- Medal of Honor: Allied Assault
- Medal of Honor: Allied Assault: Breakthrough
- Medal of Honor: Allied Assault: Spearhead
- NHL 2002
- NHL 2003
- Nascar Racing 2002
- Nascar Racing 2003
- Need For Speed: Hot Pursuit 2
- Need For Speed: Underground:
- Neverwinter Nights
- Ravenshield:
- Shogun: Total War: Warlord Edition
- Soldier Of Fortune 2
- Soldiers Of Anarchy
- The Gladiators
- Unreal Tournament 2003
- Unreal Tournament 2004



REMOVAL: (WinXP)

- Press CTRL-SHIFT-ESC to open the "Windows Task Manager" and click the Processes TAB.
- Terminate the process named: FIXWEB.EXE.
- Click START->RUN, type REGEDIT and click OK.
- In the left panel, locate and delete the following registry key: (if found)
HKLM\SYSTEM\CurrentControlSet\Services\ffor.mylifez.net
- Still in REGEDIT, locate and delete the following registry values:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Windows has Layer = fixweb.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, Windows has Layer = fixweb.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Windows has Layer = fixweb.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, Windows has Layer = fixweb.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices, Windows has Layer = fixweb.exe
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run, Windows has Layer = fixweb.exe
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce, Windows has Layer = fixweb.exe
- Scan your system with Virusbuster and delete all malware files.
Printer friendly versionTop of page
publicationscareersvisitors agreementprivacy policycontact usindustry contactsawards