Virus:Worm/RBot.139264.2
Date discovered:02/09/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:139.264 Bytes
MD5 checksum:3fef0de491e96a3c15d6bd0be1e1841e
VDF version:6.31.1.196

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: W32.Spybot.Worm
   •  Mcafee: W32/Sdbot.worm.gen.ar
   •  VirusBuster: Worm.Rbot.CIB
   •  Bitdefender: Backdoor.Rbot.AAG


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %sysdir%\windows.pif



It deletes the initially executed copy of itself.



It deletes the following file:
   • %sysdir%\windows.pif



The following file is created:

– A file that is for temporary use and it might be deleted afterwards:
   • %random character string%.exe

– %temp%\del.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to download a file:

– The locations are the following:
   • http://**********.79.160.8/ts32.dll
   • http://**********.79.160.8/sys.dll
It is saved on the local hard drive under: %sysdir%\msdos.pif Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "MSDOS Security Service"="msdos.pif"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "MSDOS Security Service"="msdos.pif"



The following registry keys are added in order to load the services after reboot:

– [HKLM\SOFTWARE\Microsoft\Ole]
   • "MSDOS Security Service"="msdos.pif"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   • "MSDOS Security Service"="msdos.pif"



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Ole]
   Old value:
   • "EnableDCOM"=%user defined settings%
   New value:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • "restrictanonymous"=%user defined settings%
   New value:
   • "restrictanonymous"=dword:00000001

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • admin$
   • Admin$\system32
   • ipc$


Exploit:
It makes use of the following Exploits:
– MS03-026 (Buffer Overrun in RPC Interface)
– MS03-049 (Buffer Overrun in the Workstation Service)
– MS04-007 (ASN.1 Vulnerability)
– MS04-011 (LSASS Vulnerability)
– MS05-039 (Vulnerability in Plug and Play)


IP address generation:
It creates random IP addresses and tries to establish a connection with them.


Infection process:
Creates a TFTP or FTP script on the compromised machine in order to download the malware to the remote location.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: **********.security.security32.biz
Port: 65528
Server password: gringle
Channel: #udz#
Nickname: %eight-digit random character string%
Password: shabby123

Server: **********.security.updates32.biz
Port: 4654
Server password: gringle
Channel: #udz#
Nickname: %eight-digit random character string%
Password: shabby123

Server: **********.security.security32.biz
Port: 4564
Server password: gringle
Channel: #udz#
Nickname: %eight-digit random character string%
Password: shabby123

Server: **********.security.updates32.biz
Port: 65529
Server password: gringle
Channel: #udz#
Nickname: %eight-digit random character string%
Password: shabby123

Server: **********.service.security32.biz
Port: 65528
Server password: gringle
Channel: #udz#
Nickname: %eight-digit random character string%
Password: shabby123

Server: **********.service.updates32.biz
Port: 4654
Server password: gringle
Channel: #udz#
Nickname: %eight-digit random character string%
Password: shabby123

Server: **********.service.security32.biz
Port: 4564
Server password: gringle
Channel: #udz#
Nickname: %eight-digit random character string%
Password: shabby123

Server: **********.service.updates32.biz
Port: 65529
Server password: gringle
Channel: #udz#
Nickname: %eight-digit random character string%
Password: shabby123

Server: **********.security.security32.biz
Port: 65528
Server password: gringle
Channel: #tests
Nickname: %eight-digit random character string%
Password: -s

Server: **********.security.updates32.biz
Port: 4654
Server password: gringle
Channel: #tests
Nickname: %eight-digit random character string%
Password: -s

Server: **********.security.security32.biz
Port: 4564
Server password: gringle
Channel: #tests
Nickname: %eight-digit random character string%
Password: -s

Server: **********.security.updates32.biz
Port: 65529
Server password: gringle
Channel: #tests
Nickname: %eight-digit random character string%
Password: -s

Server: **********.service.security32.biz
Port: 65528
Server password: gringle
Channel: #tests
Nickname: %eight-digit random character string%
Password: -s

Server: **********.service.updates32.biz
Port: 4654
Server password: gringle
Channel: #tests
Nickname: %eight-digit random character string%
Password: -s

Server: **********.service.security32.biz
Port: 4564
Server password: gringle
Channel: #tests
Nickname: %eight-digit random character string%
Password: -s

Server: **********.service.updates32.biz
Port: 65529
Server password: gringle
Channel: #tests
Nickname: %eight-digit random character string%
Password: -s



– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Malware uptime
    • Platform ID
    • Size of memory
    • System directory


– Furthermore it has the ability to perform actions such as:
    • Launch DDoS SYN flood
    • Disable DCOM
    • Disable network shares
    • disconnect from IRC server
    • Download file
    • Enable DCOM
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Open remote shell
    • Perform network scan
    • Start spreading routine
    • Updates itself
    • Upload file

 Miscellaneous Mutex:
It creates the following Mutex:
   • msdoss

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Iulia Diaconescu on Friday, September 2, 2005
Description updated by Iulia Diaconescu on Monday, September 19, 2005

Back . . . .