New Azvhan Botnet Family emerges

Trend labs shares an informative writeup on a new botnet family which is impacting users in Asia currently.

New Azvhan Bot Family Revealed
http://blog.trendmicro.com/new-azvhan-bot-family-revealed/
http://asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=Mal_Scar-1

QUOTE: A new bot family was found in the wild around April this year. This family was named “Avzhan.” Avzhan malware, detected by Trend Micro as Mal_Scar-1, mostly affected Asia where most of the affected users resided. Avzhan bots install themselves onto the Windows system directory using the file name  {six random lower-case letters}.exe. After installation, it deletes its original copy then executes the copy it installed. It registers itself as a service to run at every system startup, as shown by the service named Q MUSCIC below.

As is typical of botnet zombies, Mal_Scar-1 can execute various commands received from its command-and-control (C&C) servers, including downloading and executing potentially malicious files. This also allows complete takeover of users’ systems. In addition, it also steals certain information about users’ systems. This stolen information is part of the data sent back to the botnet’s servers, which includes the following:

• Computer name
• CPU speed
• Language used
• Memory size
• Windows version