Virus:Worm/Rbot.180736.7
Date discovered:21/08/2006
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:180.736 Bytes
MD5 checksum:9cde50fa255d9f733fe896e592616884
VDF version:6.35.01.119
IVDF version:6.35.01.120

 General Methods of propagation:
   • Local network
   • Mapped network drives


Aliases:
   •  Mcafee: W32/Sdbot.worm!MS06-040
   •  Kaspersky: Backdoor.Win32.Rbot.bgu
   •  TrendMicro: WORM_RANDEX.AH
   •  Sophos: W32/Vanebot-A
   •  Panda: W32/Aimbot.BB.worm
   •  Eset: Win32/IRCBot.TB
   •  Bitdefender: Backdoor.Aimbot.CK


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Records keystrokes
   • Makes use of software vulnerability
   • Third party control


Right after execution the following information is displayed:


 Files It copies itself to the following location:
   • %SYSDIR%\javanet.exe



It deletes the initially executed copy of itself.

 Registry The following registry keys are continuously in an infinite loop added in order to run the processes after reboot.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "MS Java for Windows XP & NT"="javanet.exe"

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
   • "MS Java for Windows XP & NT"="javanet.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="Explorer.exe javanet.exe"
   • "Userinit"="%SYSDIR%\userinit.exe,javanet.exe"



The following registry keys are added:

– [HKCU\Software\Microsoft\Windows]
   • "JavaNet"="rBot v2 a.k.a. the next generation (working on winXP SP2)"

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\javanet.exe"="%SYSDIR%\javanet.exe:*:Enabled:MS Java for Windows XP & NT"



The following registry keys are changed:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch]
   New value:
   • "Epoch"=dword:00000008

– [HKLM\SOFTWARE\Microsoft\Ole]
   New value:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   New value:
   • "lmcompatibilitylevel"=dword:00000001
   • "restrictanonymous"=dword:00000001

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops a copy of itself to the following network share:
   • $IPC


It uses the following login information in order to gain access to the remote machine:

– A list of usernames and passwords:
   • asdfgh; server; 000; 0000; 00000; 000000; 0000000; 00000000; 123;
      1234; 12345; 123456; 1234567; 12345678; 123456789; secret; secure;
      security; setup; shadow; shit; sql; super; sys; system; abc; abc123;
      access; adm; alpha; anon; anonymous; backdoor; backup; beta; bin;
      coffee; computer; crew; database; debug; default; demo; free; guest;
      hello; install; internet; login; mail; manager; money; monitor;
      network; new; newpass; nick; nobody; nopass; one; oracle; pass;
      passwd; password; poiuytre; private; pub; public; qwerty; random;
      real; remote; ruler; telnet; temp; test; test1; test2; visitor; web;
      windows; www



Exploit:
It makes use of the following Exploits:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS04-007 (ASN.1 Vulnerability)
– MS05-039 (Vulnerability in Plug and Play)
– MS06-040 (Vulnerability in Server Service)


IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: forum.ed**********
Port: 4915
Channel: #.api.#
Nickname: RBOT|F|%system-dependent%|%operating system%-%several random digits%
Password: legalize


– Furthermore it has the ability to perform actions such as:
    • Launch DDoS SYN flood
    • Launch DDoS UDP flood
    • disconnect from IRC server
    • Download file
    • Execute file
    • Join IRC channel
    • Kill process
    • Perform network scan
    • Send emails
    • Start keylog
    • Start spreading routine
    • Updates itself
    • Visit a website

 Process termination List of processes that are terminated:
   • anti; avast; blackice; f-pro; firewall; lockdown; mcafee; nod32;
      norton; reged; spybot; troja; viru; vsmon; zonea

Processes containing one of the following window titles are terminated:
   • anti; avast; blackice; f-pro; firewall; lockdown; mcafee; nod32;
      norton; reged; spybot; troja; viru; vsmon; zonea


List of services that are disabled:
   • Automatic Updates
   • Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
   • Security Center

 Miscellaneous Mutex:
It creates the following Mutex:
   • JavaNet


File patching:
In order to increase the number of maximum connections it has the capability to modify the tcpip.sys. It may result in a corruption of that file and break network connectivity.

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Enigma protector

Description inserted by Alexander Vukcevic on Friday, September 1, 2006
Description updated by Andrei Ivanes on Monday, September 4, 2006

Back . . . .