Virus:Worm/Rbot.pac.8
Date discovered:21/09/2005
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:138.240 Bytes
MD5 checksum:10e18e783f3c5e84ee0375e783ecf77b
VDF version:6.32.0.17

 General Methods of propagation:
   • Local network
   • Mapped network drives


Aliases:
   •  Symantec: W32.Spybot.Worm
   •  Mcafee: W32/Sdbot.worm.gen.i
   •  Kaspersky: Backdoor.Win32.Rbot.pac
   •  Bitdefender: Backdoor.Rbot.PAC


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Lowers security settings
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\updates.pif

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "System Updates Service" = "updates.pif"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
   • "System Updates Service" = "updates.pif"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "System Updates Service" = "updates.pif"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
   • "System Updates Service" = "updates.pif"



The following registry keys are added:

– [HKLM\Software\Microsoft\OLE]
   • "System Updates Service" = "updates.pif"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   • "System Updates Service" = "updates.pif"

– [HKCU\Software\Microsoft\OLE]
   • "System Updates Service" = "updates.pif"

– [HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
   • "System Updates Service" = "updates.pif"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • C:\
   • ADMIN$
   • IPC$


Exploit:
It makes use of the following Exploits:
– MS03-026 (Buffer Overrun in RPC Interface)
– MS03-039 (Buffer Overrun in RPCSS Service)
– MS03-049 (Buffer Overrun in the Workstation Service)
– MS04-007 (ASN.1 Vulnerability)
– MS05-039 (Vulnerability in Plug and Play)


IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.


Infection process:
Creates a TFTP or FTP script on the compromised machine in order to download the malware to the remote location.

 IRC  Server: **********omfgwtfbbq.biz
Port: 4654
Server password: jew1sh
Channel: #.wtf5
Nickname: %random character string%
Password: stfubitch

Server: **********omfgwtfbbq.biz
Port: 65529
Server password: jew1sh
Channel: #.wtf5
Nickname: %random character string%
Password: stfubitch

Server: **********urgentupdate.net
Port: 1427
Server password: jew1sh
Channel: #.wtf5
Nickname: %random character string%
Password: stfubitch

Server: **********urgentupdate.net
Port: 65528
Server password: jew1sh
Channel: #.wtf5
Nickname: %random character string%
Password: stfubitch



– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Details about drivers
    • Free disk space
    • Free memory
    • Information about the network
    • Platform ID
    • Size of memory
    • Username


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS ICMP flood
    • Disable DCOM
    • Disable network shares
    • Download file
    • Enable DCOM
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Kill process
    • Leave IRC channel
    • Open remote shell
    • Perform network scan
    • Perform port redirection
    • Register a service
    • Restart system
    • Terminate malware
    • Terminate process
    • Visit a website

 File details Programming language:
 The malware program was written in MS Visual C++.
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Iulian Popa on Wednesday, September 21, 2005
Description updated by Iulian Popa on Wednesday, September 28, 2005

Back . . . .