Shadowbot Removal Instructions

Instructions for locating and removing Shadow bot malware.

Instructions prepared by: Vitaly Kamluk, Kaspersky Lab
Date: 06.08.2008
MD5 of analyzed sample: 9e2ef49e84bc16c95b8fe21f4c0fe41e

Locating malware (with security software)

Kaspersky Anti-Virus has been able to detect malware which supports the Shadow botnet since 30th of January 2008. Detection names may vary from version to version. The malware is detected under the following names:

  • Backdoor.Win32.IRCBot.bit
  • Backdoor.Win32.IRCBot.biy
  • Backdoor.Win32.IRCBot.bjd
  • Backdoor.Win32.IRCBot.bjh
  • Backdoor.Win32.IRCBot.cja
  • Backdoor.Win32.IRCBot.cjj
  • Backdoor.Win32.IRCBot.ckq
  • Backdoor.Win32.IRCBot.cow
  • Backdoor.Win32.IRCBot.czt
  • Backdoor.Win32.IRCBot.ekz
  • Rootkit.Win32.Agent.aet
  • Trojan-Downloader.Win32.Injecter.pj
  • Trojan.Win32.DNSChanger.azo
  • Trojan.Win32.DNSChanger.bao
  • Trojan.Win32.DNSChanger.bck
  • Trojan.Win32.DNSChanger.bfo
  • Trojan.Win32.DNSChanger.bjh
  • Trojan.Win32.DNSChanger.bji
  • Trojan.Win32.DNSChanger.bjj
  • Trojan.Win32.DNSChanger.bmj
  • Trojan.Win32.DNSChanger.bnw
  • Trojan.Win32.DNSChanger.bqk
  • Trojan.Win32.DNSChanger.bsm
  • Trojan.Win32.DNSChanger.buu
  • Trojan.Win32.DNSChanger.bwi
  • Trojan.Win32.DNSChanger.bxd
  • Trojan.Win32.DNSChanger.bxe
  • Trojan.Win32.DNSChanger.bxv
  • Trojan.Win32.DNSChanger.cap
  • Trojan.Win32.DNSChanger.ccg
  • Trojan.Win32.DNSChanger.cei
  • Trojan.Win32.DNSChanger.cem
  • Trojan.Win32.DNSChanger.eag
  • Trojan.Win32.DNSChanger.gvb
  • Trojan.Win32.Restarter.e
  • Trojan.Win32.Restarter.f
  • Trojan.Win32.Restarter.g
  • Trojan.Win32.Restarter.h

The current sample was detected on 6th August 2008 as Trojan.Win32.DNSChanger.gvb

Locating malware (manually)

As the bot doesn't copy its body to the system, the name of the malicious file can vary. The name of the malicious file depends on the installer used to infect the system with the bot. However, it is possible to detect the presence of the bot by checking the system registry.

Users can check the system registry by running regedit.exe and checking the following registry value:

HKEY_CLASSES_ROOT\.htc\Content Type

System administrators of large networks can do this remotely using the reg.exe command as shown below:

The default system registry value (checked on Windows XP Pro SP2) for HKEY_CLASSES_ROOT\.htc\Content Type is “text/x-component”. If there is a different value such as “{space}” in the registry, this may mean the machine is infected with Shadow bot malware.

You can also check another registry hive that enables the bot to make outbound network connections by changing Windows Firewall rules:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\.

The bot adds an item to the list of Authorized Applications. The rule may be identified as "Flash Media" as shown below, but the name can vary.

This enables you to see the actual path to where the malicious file is stored on the infected system. The path to the malicious file can also be found in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit registry value. The bot appends the path to its file to the legitimate userinit.exe as shown below:

The filename and location may vary.

Network administrators can identify infected machines on the local network by checking outbound network connections to elena.ccpower.ru on port 3306, or by using address/port independent detection based on filtering network traffic for the patterns shown below:

Removing malware (manually)

The bot patches winlogon.exe process in memory. This allows the malicious code to gain local system privileges and protects the original malicious file against removal. It also protects registry settings against modification by restoring them frequently. If the malicious process is not running, the patched winlogon.exe will restart it.

Once you have identified the malicious executable, follow the instructions below to remove the malware and restore system settings:

1. Deny the current user all access to the malicious file. To do this, navigate to the file using Windows Explorer.

Make sure that you disable “Use simple file sharing” (for NTFS users) in Windows Explorer (Go to Windows Explorer windows menu -> Tools -> Folder Option -> View):

Right click the malicious file and select “Properties”:

Go to the “Security” tab and adjust file access control. You will need to add the current user to the list of “Group or user names”:

Click “Add” button and enter the current user name. Check all checkboxes in the Deny column for the current user:

2. Reboot your system.

3. Navigate to the malicious file again. Now you will be able to remove it.

4. Run regedit.exe and restore registry keys to default system values. The values may vary depending on your system installation path. Typical values are listed below (key=value):

“HKCR\.htc\Content Type” = "text/x-component"
“HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit” = “C:\WINDOWS\system32\userinit.exe”

5. Delete the following values:

“HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Flash Media”
“HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\

6. Update your antivirus databases and run a full scan of your computer (download a trial version of Kaspersky Anti-Virus).