Virus:Worm/Rbot.95744.12
Date discovered:09/11/2005
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:95.744 Bytes
MD5 checksum:b8e07b509594509af0d671c79176ff9c
VDF version:6.32.00.123

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: W32.Spybot.Worm
   •  Sophos: W32/Rbot-AWZ
   •  Bitdefender: Backdoor.RBot.0EA93F88


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Records keystrokes
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\winzbp.exe

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "WinZap Check" = "winzbp.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
   • "WinZap Check" = "winzbp.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "WinZap Check" = "winzbp.exe"

 Network Infection It makes use of the following Exploits:
– MS03-026 (Buffer Overrun in RPC Interface)
– MS04-011 (LSASS Vulnerability)

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: irc.thev**********.biz
Port: 14478
Channel: #.lala.#
Nickname: USA|%six-digit random character string%
Password: lala



– This malware has the ability to collect and send information such as:
    • Cached passwords
    • Capture shot from webcam
    • Current user
    • Information about the network
    • Information about running processes
    • Username
    • Users' local activity
    • Information about the Windows operating system
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS UDP flood
    • Disable network shares
    • Download file
    • Edit registry
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Kill process
    • Perform DDoS attack
    • Perform network scan
    • Perform port redirection
    • Register a service
    • Restart system
    • Send emails
    • Start spreading routine
    • Terminate process
    • Updates itself
    • Upload file
    • Visit a website

 Process termination List of processes that are terminated:
   • bbeagle.exe; d3dupdate.exe; i11r54n4.exe"; irun4.exe; MSBLAST.exe;
      msblast.exe; msconfig.exe; mscvb32.exe; navapw32.exe; navw32.exe;
      netstat.exe; PandaAVEngine.exe; Penis32.exe; rate.exe; regedit.exe;
      ssate.exe; sysinfo.exe; SysMonXP.exe; teekids.exe;
      wincfg32.exetaskmon.exe; winsys.exe; winupd.exe; zapro.exe;
      zonealarm.exe


 Stealing It tries to steal the following information:

– The following CD keys:
   • Battlefield 1942; Battlefield 1942 (Road To Rome); Battlefield 1942
      (Secret Weapons of WWII); Battlefield Vietnam; Black and White;
      Command and Conquer: Generals; Command and Conquer: Generals (Zero
      Hour); Command and Conquer: Red Alert; Command and Conquer: Red Alert
      2; Command and Conquer: Tiberian Sun; Counter-Strike (Retail); FIFA
      2002; FIFA 2003; Half-Life; Hidden & Dangerous 2; IGI 2: Covert
      Strike; Industry Giant 2; James Bond 007: Nightfire; Medal of Honor:
      Allied Assault; Medal of Honor: Allied Assault: Breakthrough; Medal of
      Honor: Allied Assault: Spearhead; Nascar Racing 2002; Nascar Racing
      2003; Need For Speed Hot Pursuit 2; Need For Speed: Underground;
      Neverwinter Nights; Neverwinter Nights (Hordes of the Underdark);
      Neverwinter Nights (Shadows of Undrentide); NHL 2002; NHL 2003;
      Rainbow Six III RavenShield; Shogun: Total War: Warlord Edition;
      Soldier of Fortune II - Double Helix; Soldiers Of Anarchy; The
      Gladiators; Unreal Tournament 2003

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
   • PolyCript
   • ASPack

Description inserted by Iulian Popa on Thursday, November 10, 2005
Description updated by Andrei Ivanes on Thursday, November 17, 2005

Back . . . .