Virus:Worm/Rbot.173568.9
Date discovered:27/09/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:173.568 Bytes
MD5 checksum:d89437c84655fa333fdf5b5b37cb29cc
VDF version:6.32.0.45

 General Method of propagation:
   • Local network


Aliases:
   •  Mcafee: W32/Sdbot.worm.gen.w
   •  TrendMicro: WORM_RBOT.CIZ
   •  F-Secure: W32/Banker.EVW
   •  VirusBuster: Worm.RBot.CNF
   •  Bitdefender: Backdoor.RBot.BAR


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\xpjava.exe



The following file is created:

%SYSDIR%\msdirectx.sys Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Agent.dg.2.B

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\msdirectx]
   • "Type"=dword:00000001
     "Start"=dword:00000003
     "ErrorControl"=dword:00000001
     "ImagePath"=\??\%SYSDIR%\msdirectx.sys
     "DisplayName"="msdirectx"

– [HKLM\SYSTEM\CurrentControlSet\Services\msdirectx\Security]
   • "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
      00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
      00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
      05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
      20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
      00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
      00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

– [HKLM\SYSTEM\CurrentControlSet\Services\msdirectx\Enum]
   • "0"="Root\\LEGACY_MSDIRECTX\\0000"
     "Count"=dword:00000001
     "NextInstance"=dword:00000001



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Userinit"=%user defined settings%
   New value:
   • "Userinit"="userinit.exe,xpjava.exe"

– [HKLM\SOFTWARE\Microsoft\Ole]
   Old value:
   • "EnableDCOM"=%user defined settings%
   New value:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • "restrictanonymous"=%user defined settings%
     "restrictanonymoussam"=%user defined settings%
   New value:
   • "restrictanonymous"=dword:00000001
     "restrictanonymoussam"=dword:00000001

 Network Infection It uses the following login information in order to gain access to the remote machine:

– The following list of usernames:
   • oracle; database; default; guest; wwwadmin; teacher; student; owner;
      computer; staff; admin; admins; administrat; administrateur;
      administrador; administrator

– The following list of passwords:
   • qwerty; server; system; changeme; linux; 1234567890; 123456789;
      12345678; 1234567; 123456; 12345; pass1234; passwd; password;
      password1



Exploit:
It makes use of the following Exploits:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS03-007 (Unchecked Buffer in Windows Component)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS04-011 (LSASS Vulnerability)


Infection process:
Creates a TFTP or FTP script on the compromised machine in order to download the malware to the remote location.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: g0d.**********.n0t.ex1st.net
Port: 8249
Server password: st4y4w4y
Channel: #.kimochi3
Nickname: Roo-San|%seven-digit random character string%
Password: kimochi



– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Details about drivers
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Platform ID
    • Information about running processes
    • Size of memory
    • System directory
    • Username
    • Windows directory


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS TCP flood
    • Launch DDoS UDP flood
    • Disable DCOM
    • Disable network shares
    • disconnect from IRC server
    • Download file
    • Enable DCOM
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Kill process
    • Leave IRC channel
    • Open remote shell
    • Perform DDoS attack
    • Perform network scan
    • Register a service
    • Restart system
    • Send emails
    • Shut down system
    • Start spreading routine
    • Terminate malware
    • Terminate process
    • Updates itself
    • Upload file
    • Visit a website

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own processes

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PE-Crypt.AntiDeb

Description inserted by Razvan Olteanu on Monday, October 3, 2005
Description updated by Razvan Olteanu on Thursday, October 6, 2005

Back . . . .