Virus:Worm/Rbot.79872.3
Date discovered:07/09/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:79.872 Bytes
MD5 checksum:b194501e863d4007caccaa682e607aed
VDF version:6.31.1.216

 General Methods of propagation:
   • Local network
   • Mapped network drives


Aliases:
   •  VirusBuster: Worm.RBot.CJK
   •  Bitdefender: Backdoor.RBot.B4FF80F8


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP


Side effects:
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\google.exe



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to run the processes after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "google"="google.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
   • "google"="google.exe"



The following registry keys are changed:

– HKLM\SOFTWARE\Microsoft\Ole
   Old value:
   • "EnableDCOM"="%user defined settings%"
   New value:
   • "EnableDCOM"="N"

– HKLM\SYSTEM\CurrentControlSet\Control\Lsa
   Old value:
   • "restrictanonymous"=%user defined settings%
     "restrictanonymoussam"=%user defined settings%
   New value:
   • "restrictanonymous"=dword:00000001
     "restrictanonymoussam"=dword:00000001

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • C$
   • D$"
   • ADMIN$
   • IPC$


It uses the following login information in order to gain access to the remote machine:

–Cached usernames and passwords.

– The following list of usernames:
   • accounting; accounts; admin; administrador; administrat;
      administrateur; administrator; admins; bill; bob; brian; chris;
      computer; eric; fred; george; guest; home; homeuser; ian; internet;
      jen; joe; john; kate; katie; lee; luke; mary; mike; neil; oem;
      oeminstall; oemuser; owner; peter; root; sam; staff; student; sue;
      susan; teacher; user; wwwadmin

– The following list of passwords:
   • 7; 123; 1234; 2000; 2001; 2002; 2003; 2004; 12345; 123456; 1234567;
      12345678; 123456789; 1234567890; access; accounting; accounts; adm;
      asd; backup; bitch; blank; changeme; cisco; compaq; control; data;
      database; databasepass; databasepassword; db1; db1234; db2; dba;
      dbpass; dbpassword; default; dell; demo; domain; domainpass;
      domainpassword; exchange; fuck; god; hell; hello; ibm; internet;
      intranet; lan; linux; login; loginpass; mail; main; nokia; none; null;
      office; oracle; orainstall; outlook; pass; pass1234; passwd; password;
      password1; pwd; qaz; qwe; qwerty; server; sex; siemens; slut; sql;
      sqlpassoainstall; system; technical; test; unix; web; win2000; win2k;
      win98; windows; winnt; winpass; winxp; www; zxc



Exploit:
It makes use of the following Exploits:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS04-007 (ASN.1 Vulnerability)
– MS04-011 (LSASS Vulnerability)
– MS05-039 (Vulnerability in Plug and Play)


IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.


Infection process:
Creates a TFTP or FTP script on the compromised machine in order to download the malware to the remote location.
It makes the compromised machine download the malware from the infected source computer.


Slow down:
–It creates multiple infection threads.
– Depending on your bandwidth you might notice a fall in your network speed. As the network activity for this malware is medium you might not take notice of this if you have a broadband connection.
– You might also notice a slow down due to the multiple network threads created.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: disclosure**********.server.us
Port: 40000
Channel: #support
Nickname: [XP]|%random characters string%
Password: server



– This malware has the ability to collect and send information such as:
    • Cached passwords
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Information about running processes
    • Size of memory
    • Username


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS TCP flood
    • Launch DDoS UDP flood
    • Disable DCOM
    • Disable network shares
    • disconnect from IRC server
    • Download file
    • Edit registry
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Open remote shell
    • Perform DDoS attack
    • Perform network scan
    • Restart system
    • Send emails
    • Start spreading routine
    • Terminate process
    • Updates itself

 Backdoor The following ports are opened:

%SYSDIR%\google.exe on TCP port 25000 in order to provide an FTP server.
%SYSDIR%\google.exe on UDP port 89 in order to provide a TFTP server.

 Miscellaneous Mutex:
It creates the following Mutex:
   • afffff

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
   • UPack;
   • ASPack;
   • PE_Patch.Upolyx;
   • UPX

Description inserted by Irina Boldea on Wednesday, September 7, 2005
Description updated by Irina Boldea on Thursday, September 8, 2005

Back . . . .