Write-up by: Kevin Ha
Discovered on: January 21, 2005
Last Updated on: January 24, 2005 10:54:13 AM

W32.Blatic.A is a worm that spreads through network shares and has back door functionality allowing it to receive commands from a remote attacker through IRC channels.

When W32.Blatic.A is executed, it does the following:


Creates the mutex "blaaat" so that only one instance of the worm runs on the compromised computer.


Copies itself as %System%\iexplor.exe.

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


Checks for the presence of the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS. Update\"bla" = "[random number]"

If the above registry entry exists, the worm downloads files via HTTP and executes them. The worm may also download an updated version of itself.


Adds the value:

"shell" = "explorer.exe iexplor.exe"

to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

so that it runs when Windows starts.


Adds the value:

"winsockdriver" = "iexplor.exe"

to the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce

so that it runs when Windows starts.


Adds the value:

"bla" = "[random number]"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS. Update

as an infection marker.


Adds the line:

shell = explorer.exe iexplor.exe

to the boot section of the %Windir%\system.ini file, so that the worm runs when Windows starts.

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.


Spreads through $ADMIN network shares using a predefined list of common passwords.


Opens a back door by connecting to the "OlaGh" channel on one of the following IRC servers, through TCP port 6667:


irc.iranserv.com
arya.persiairc.com