Virus:Worm/RBot.172964.1
Date discovered:31/08/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:172,964 Bytes
MD5 checksum:a4a23feebba7120c57e86fa8c7c19e89
VDF version:6.31.0.46

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: W32.Spybot.Worm
   •  Kaspersky: Backdoor.Win32.Rbot.gen
   •  TrendMicro: WORM_RBOT.BPO
   •  Sophos: W32/Rbot-Fam
   •  VirusBuster: Worm.RBot.Gen.4
   •  Bitdefender: Exploit.Based.Worm.Gen


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %sysdir%\setup32.exe



It deletes the initially executed copy of itself.



The following file is created:

– %sysdir%\msdirectx.sys Further investigation pointed out that this file is malware, too.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Userinit"="userinit.exe,setup32.exe"



The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\msdirectx]
   • "Type"=dword:00000001
   • "Start"=dword:00000003
   • "ErrorControl"=dword:00000001
   • "ImagePath"=hex(2):%sysdir%\msdirectx.sys
   • "DisplayName"="msdirectx"

– [HKLM\SYSTEM\CurrentControlSet\Services\msdirectx\Enum]
   • "0"="Root\\LEGACY_MSDIRECTX\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX\0000]
   • "Service"="msdirectx"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="msdirectx"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX\0000\
   Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="msdirectx"

– [HKLM\SYSTEM\CurrentControlSet\Services\msdirectx\Security]
   • "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
      00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
      00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
      05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
      20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
      00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
      00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00



The following registry keys are changed:

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • "restrictanonymous"=%user defined settings%
   • "restrictanonymoussam"=%user defined settings%
   New value:
   • "restrictanonymous"=dword:00000001
   • "restrictanonymoussam"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Ole]
   Old value:
   • "EnableDCOM"=%user defined settings%
   New value:
   • "EnableDCOM"="N"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • D$
   • C$
   • ADMIN$
   • IPC$


It uses the following login information in order to gain access to the remote machine:

– The following list of usernames:
   • adm; db2; oracle; dba; database; default; guest; wwwadmin; teacher;
      student; owner; computer; root; staff; admin; admins; administrat;
      administrateur; administrador; administrator

– The following list of passwords:
   • intranet; lan; main; winpass; blank; office; control; xp; nokia; hp;
      siemens; compaq; dell; cisco; ibm; orainstall; sqlpassoainstall; sql;
      sa; db1234; db1; databasepassword; data; databasepass; dbpassword;
      dbpass; access; domainpassword; domainpass; domain; hello; hell; god;
      sex; slut; bitch; fuck; exchange; backup; technical; loginpass; login;
      mary; katie; kate; george; eric; chris; ian; neil; lee; brian; susan;
      sue; sam; luke; peter; john; mike; bill; fred; joe; jen; bob; qwe;
      zxc; asd; qaz; win2000; winnt; winxp; win2k; win98; windows;
      oeminstall; oemuser; oem; user; homeuser; home; accounting; accounts;
      internet; www; web; outlook; mail; qwerty; null; server; system;
      changeme; linux; unix; demo; none; test; 2004; 2003; 2002; 2001; 2000;
      1234567890; 123456789; 12345678; 1234567; 123456; 12345; 1234; 123;
      12; 1; 007; pwd; pass; pass1234; passwd; password; password1



Exploit:
It makes use of the following Exploits:
– MS03-026 (Buffer Overrun in RPC Interface)
– MS04-011 (LSASS Vulnerability)


IP address generation:
It creates random IP addresses and tries to establish a connection with them.


Infection process:
Creates a TFTP script on the compromised machine in order to download the malware to the remote location.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: **********.domainsite.com
Port: 8249
Server password: st4y4w4y
Channel: #.mss
Nickname: [xx]%seven-digit random character string%
Password: mss

Server: **********.olympicz.net
Port: 8249
Server password: st4y4w4y
Channel: #.mss
Nickname: [xx]%seven-digit random character string%
Password: mss



– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Platform ID
    • Size of memory


– Furthermore it has the ability to perform actions such as:
    • Disable network shares
    • Enable network shares
    • Execute file
    • Kill process
    • Open remote shell
    • Perform network scan
    • Start spreading routine
    • Updates itself
    • Upload file

 Injection – It injects itself into a process.

    Process name:
   • services.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • EXEStealth

Description inserted by Iulia Diaconescu on Friday, September 2, 2005
Description updated by Iulia Diaconescu on Monday, September 19, 2005

Back . . . .