Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm.Rbot.SC
Date discovered:13/12/2012
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:115.712 Bytes
MD5 checksum:841bd2641ee5b9b2cebab37f1cb0b86e
VDF version:7.11.53.216

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: W32.Spybot.Worm
   •  Mcafee: W32/Sdbot.worm.gen
   •  Kaspersky: Backdoor.Win32.Rbot.gen
   •  TrendMicro: WORM_SPYBOT.AZV
   •  Sophos: W32/Rbot-Fam
   •  Panda: W32/Gaobot.BJY.worm
   •  Grisoft: IRC/BackDoor.SdBot.74.BP
   •  VirusBuster: Worm.RBot.CCF
   •  Bitdefender: Worm.Gaobot.BJY


Platforms / OS:
   • Windows 2000
   • Windows XP


Side effects:
   • Registry modification
   • Makes use of software vulnerability
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\wvsvc.exe



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "wvsvc"="wvsvc.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "wvsvc"="wvsvc.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "wvsvc"="wvsvc.exe"



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "wvsvc"="wvsvc.exe"



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Ole]
   Old value:
   • "EnableDCOM"="Y"
   New value:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • "restrictanonymous"=dword:00000000
   • "restrictanonymoussam"=dword:00000001
   New value:
   • "restrictanonymous"=dword:00000001
   • "restrictanonymoussam"=dword:00000001

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • C:$\Windows\System32
   • C:$\WINNT\System32
   • ADMIN$\System32
   • IPC$


It uses the following login information in order to gain access to the remote machine:

–Cached usernames and passwords.

– The following list of usernames:
   • access; admin; administrator; backup; barbara; blank; brian; bruce;
      capitol; cisco; compaq; control; default; domain; exchange; exchnge;
      frank; freddy; george; guest; headoffice; heaven; homeuser; internet;
      internet; intranet; katie; login; nokia; oeminstall; office; orange;
      peter; siemens; spencer; staff; student; student1; susan; teacher;
      technical; turnip; yellow

– The following list of passwords:
   • 123; 1234; 12346; 123467; 1234678; 12346789; 123467890; accounting;
      accounts; changeme; databasepass; databasepassword; db1234; dbpass;
      dbpassword; default; domain; domainpass; domainpassword;
      domainpassword; hell; hello; loginpass; outlook; pass1234; passwd;
      password; password1; qwerty; server; system; sqlpass; userpassword;
      win2000; win2k; win98; windows; winpass; winnt; winxp

It makes use of the following Exploits:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS04-011 (LSASS Vulnerability)


IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.


Infection process:
Creates a TFTP script on the compromised machine in order to download the malware to the remote location.


Slow down:
– Depending on your bandwidth you might notice a fall in your network speed. As the network activity for this malware is medium you might not take notice of this if you have a broadband connection.
– You might also notice a slow down due to the multiple network threads created.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: real.prof**********.us
Port: 62173
Channel: #ra
Nickname: rF-%random character string%



– This malware has the ability to collect and send information such as:
    • Cached passwords
    • CPU speed
    • Free disk space
    • Free memory
    • Information about the network
    • Information about running processes
    • Size of memory
    • Username


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS SYN flood
    • Launch DDoS TCP flood
    • Launch DDoS UDP flood
    • Disable DCOM
    • Download file
    • Edit registry
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Kill process
    • Open remote shell
    • Restart system
    • Send emails

 Backdoor The following ports are opened:

%SYSDIR%\wvsvc.exe on UDP port 69 in order to provide a TFTP server.
%SYSDIR%\wvsvc.exe on a random TCP port in order to provide a remote Shell.

 Stealing It tries to steal the following information:
– Windows Product ID

– The following CD keys:
   •  Battlefield 1942; Battlefield 1942 (Road To Rome); Battlefield 1942
      (Secret Weapons of WWII); Battlefield Vietnam; Black and White; Call
      of Duty; Chrome; Command and Conquer: Generals; Command and Conquer:
      Generals (Zero Hour); Command and Conquer: Red Alert; Command and
      Conquer: Red Alert 2; Command and Conquer: Tiberian Sun;
      Counter-Strike (Retail); FarCry; FIFA 2002; FIFA 2003; Freedom Force;
      Global Operations; Ground Control II; Gunman Chronicles; Half-Life;
      Hidden & Dangerous 2; IGI 2: Covert Strike; Industry Giant 2; James
      Bond 007: Nightfire; Joint Operations: Typhoon Rising; Legends of
      Might and Magic; Medal of Honor: Allied Assault; Medal of Honor:
      Allied Assault: Breakthrough; Medal of Honor: Allied Assault:
      Spearhead; Nascar Racing 2002; Nascar Racing 2003; Need For Speed Hot
      Pursuit 2; Need For Speed:Underground; Neverwinter Nights (Hordes of
      the Underdark); Neverwinter Nights (Shadows of Undrentide); NHL 2002;
      NHL 2003; NOX; Rainbow Six III RavenShield; Shogun Total War - Warlord
      Edition; Soldier of Fortune II - Double Helix; Soldiers Of Anarchy;
      The Gladiators; Unreal Tournament 2003; Unreal Tournament 2004

– A logging routine is started after keystrokes are typed that match one of the following strings:
   • Admin; advscan; asc; auth; hashin; id; Login; login; pass; PASS; pass;
      PASSWORD; Password; paypal; paypal; paypal.com; scan.all; scan.start;
      scan.startall; secure; start.scan; syn; USER; user

 Miscellaneous Mutex:
It creates the following Mutex:
   • ra

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PE_Patch.Morphine; Morphine; ASPack

Description inserted by Irina Boldea on Thursday, August 4, 2005
Description updated by Oliver Auerbach on Friday, August 19, 2005

Back . . . .