Virus: Worm/Rbot.1261568 Date discovered: 12/12/2006 Type: Worm In the wild: No Reported Infections: Low Distribution Potential: Medium Damage Potential: Medium Static file: Yes File size: 1.261.568 Bytes MD5 checksum: 104a6b553136068923badf7550c11ef1 VDF version: 6.35.01.100 IVDF version: 6.35.01.101
General Method of propagation: • Local network Aliases: • Kaspersky: Backdoor.Win32.Rbot.bgk • Grisoft: IRC/BackDoor.SdBot2.GDO • Eset: Win32/Rbot • Bitdefender: Backdoor.Rbot.BGK Platforms / OS: • Windows 95 • Windows 98 • Windows 98 SE • Windows NT • Windows ME • Windows 2000 • Windows XP • Windows 2003 Side effects: • Drops a file • Records keystrokes • Registry modification • Makes use of software vulnerability • Steals information • Third party control Files It copies itself to the following location: • %WINDIR% \mssetupconf.exe It deletes the initially executed copy of itself. The following file is created: – %SYSDIR% \drivers\oreans32.sys Registry The following registry keys are added in order to run the processes after reboot: – [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] • "System Update"="mssetupconf.exe" – [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] • "System Update"="mssetupconf.exe" The following registry keys are added: – [HKLM\SOFTWARE\Microsoft\Ole] • "System Update"="mssetupconf.exe" – [HKLM\SYSTEM\CurrentControlSet\Control\Lsa] • "System Update"="mssetupconf.exe" The following registry keys are changed: – [HKLM\SOFTWARE\Microsoft\Ole] Old value: • "EnableDCOM"="Y" New value: • "EnableDCOM"="N" – [HKLM\SYSTEM\CurrentControlSet\Control\Lsa] Old value: • "restrictanonymous"=%user defined settings% New value: • "restrictanonymous"=dword:00000001 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below. It drops copies of itself to the following network shares: • IPC$ • C$ • D$ • C$\windows\system32 • c$\winnt\system32 • ADMIN$\system32\ • ADMIN$ It uses the following login information in order to gain access to the remote machine: –Cached usernames and passwords. – A list of usernames and passwords: • intranet; lan; main; winpass; blank; office; control; nokia; siemens; compaq; dell; cisco; ibm; orainstall; sqlpassoainstall; sql; db1234; db1; databasepassword; data; databasepass; dbpassword; dbpass; access; domainpassword; domainpass; domain; hello; hell; god; sex; slut; bitch; fuck; exchange; backup; technical; loginpass; login; mary; katie; kate; george; eric; chris; ian; neil; lee; brian; susan; sue; sam; luke; peter; john; mike; bill; fred; joe; jen; bob; qwe; zxc; asd; qaz; win2000; winnt; winxp; win2k; win98; windows; oeminstall; oemuser; oem; user; homeuser; home; accounting; accounts; internet; www; web; outlook; mail; qwerty; null; server; system; changeme; linux; unix; demo; none; test; 2004; 2003; 2002; 2001; 2000; 1234567890; 123456789; 12345678; 1234567; 123456; 12345; 1234; 123; 007; pwd; pass; pass1234; passwd; password; password1; adm; db2; oracle; dba; database; default; guest; wwwadmin; teacher; student; owner; computer; root; staff; admin; admins; administrat; administrateur; administrador; administrator Exploit: It makes use of the following Exploits: – MS02-018 (Patch for Internet Information Service) – MS03-026 (Buffer Overrun in RPC Interface) – MS03-039 (Buffer Overrun in RPCSS Service) – MS04-011 (LSASS Vulnerability) – MS05-039 (Vulnerability in Plug and Play) Infection process: Creates a TFTP or FTP script on the compromised machine in order to download the malware to the remote location. Remote execution: –It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function. IRC To deliver system information and to provide remote control it connects to the following IRC Server: Server: ds106.nakamurax.********** Port: 6667 Channel: #root# Nickname: root-%six-digit random character string% – This malware has the ability to collect and send information such as: • Capture screen • Capture shot from webcam • CPU speed • Current user • Details about drivers • Free disk space • Free memory • Information about the network • Size of memory • System directory • Information about the Windows operating system – Furthermore it has the ability to perform actions such as: • Launch DDoS ICMP flood • Launch DDoS SYN flood • Launch DDoS TCP flood • Launch DDoS UDP flood • Disable DCOM • Disable network shares • disconnect from IRC server • Download file • Enable DCOM • Enable network shares • Join IRC channel • Leave IRC channel • Open remote shell • Perform DDoS attack • Perform network scan • Perform port redirection • Restart system • Send emails • Start keylog • Updates itself • Upload file • Visit a website Process termination List of processes that are terminated: • i11r54n4.exe; irun4.exe; d3dupdate.exe; rate.exe; ssate.exe; winsys.exe; winupd.exe; SysMonXP.exe; bbeagle.exe; Penis32.exe; mscvb32.exe; sysinfo.exe; PandaAVEngine.exe; F-AGOBOT.EXE; HIJACKTHIS.EXE; _AVPM.EXE; _AVPCC.EXE; _AVP32.EXE; ZONEALARM.EXE; ZONALM2601.EXE; ZATUTOR.EXE; ZAPSETUP3001.EXE; ZAPRO.EXE; XPF202EN.EXE; WYVERNWORKSFIREWALL.EXE; WUPDT.EXE; WUPDATER.EXE; WSBGATE.EXE; WRCTRL.EXE; WRADMIN.EXE; WNT.EXE; WNAD.EXE; WKUFIND.EXE; WINUPDATE.EXE; WINTSK32.EXE; WINSTART001.EXE; WINSTART.EXE; WINSSK32.EXE; WINSERVN.EXE; WINRECON.EXE; WINPPR32.EXE; WINNET.EXE; WINMAIN.EXE; WINLOGIN.EXE; WININITX.EXE; WININIT.EXE; WININETD.EXE; WINDOWS.EXE; WINDOW.EXE; WINACTIVE.EXE; WIN32US.EXE; WIN32.EXE; WIN-BUGSFIX.EXE; WIMMUN32.EXE; WHOSWATCHINGME.EXE; WGFE95.EXE; WFINDV32.EXE; WEBTRAP.EXE; WEBSCANX.EXE; WEBDAV.EXE; WATCHDOG.EXE; W9X.EXE; W32DSM89.EXE; VSWINPERSE.EXE; VSWINNTSE.EXE; VSWIN9XE.EXE; VSSTAT.EXE; VSMON.EXE; VSMAIN.EXE; VSISETUP.EXE; VSHWIN32.EXE; VSECOMR.EXE; VSCHED.EXE; VSCENU6.02D30.EXE; VSCAN40.EXE; VPTRAY.EXE; VPFW30S.EXE; VPC42.EXE; VPC32.EXE; VNPC3000.EXE; VNLAN300.EXE; VIRUSMDPERSONALFIREWALL.EXE; VIR-HELP.EXE; VFSETUP.EXE; VETTRAY.EXE; VET95.EXE; VET32.EXE; VCSETUP.EXE; VBWINNTW.EXE; VBWIN9X.EXE; VBUST.EXE; VBCONS.EXE; VBCMSERV.EXE; UTPOST.EXE; UPGRAD.EXE; UPDATE.EXE; UPDAT.EXE; UNDOBOOT.EXE; TVTMD.EXE; TVMD.EXE; TSADBOT.EXE; TROJANTRAP3.EXE; TRJSETUP.EXE; TRJSCAN.EXE; TRICKLER.EXE; TRACERT.EXE; TITANINXP.EXE; TITANIN.EXE; TGBOB.EXE; TFAK5.EXE; TFAK.EXE; TEEKIDS.EXE; TDS2-NT.EXE; TDS2-98.EXE; TDS-3.EXE; TCM.EXE; TCA.EXE; TC.EXE; TBSCAN.EXE; TAUMON.EXE; TASKMON.EXE; TASKMO.EXE; TASKMG.EXE; SYSUPD.EXE; SYSTEM32.EXE; SYSTEM.EXE; SYSEDIT.EXE; SYMTRAY.EXE; SYMPROXYSVC.EXE; SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE; SWEEP95.EXE; SVSHOST.EXE; SVCHOSTS.EXE; SVCHOSTC.EXE; SVC.EXE; SUPPORTER5.EXE; SUPPORT.EXE; SUPFTRL.EXE; STCLOADER.EXE; START.EXE; ST2.EXE; SSG_4104.EXE; SSGRATE.EXE; SS3EDIT.EXE; SRNG.EXE; SREXE.EXE; SPYXX.EXE; SPOOLSV32.EXE; SPOOLCV.EXE; SPOLER.EXE; SPHINX.EXE; SPF.EXE; SPERM.EXE; SOFI.EXE; SOAP.EXE; SMSS32.EXE; SMS.EXE; SMC.EXE; SHOWBEHIND.EXE; SHN.EXE; SHELLSPYINSTALL.EXE; SH.EXE; SGSSFW32.EXE; SFC.EXE; SETUP_FLOWPROTECTOR_US.EXE; SETUPVAMEEVAL.EXE; SERVLCES.EXE; SERVLCE.EXE; SERVICE.EXE; SERV95.EXE; SD.EXE; SCVHOST.EXE; SCRSVR.EXE; SCRSCAN.EXE; SCANPM.EXE; SCAN95.EXE; SCAN32.EXE; SCAM32.EXE; SC.EXE; SBSERV.EXE; SAVENOW.EXE; SAVE.EXE; SAHAGENT.EXE; SAFEWEB.EXE; RUXDLL32.EXE; RUNDLL16.EXE; RUNDLL.EXE; RUN32DLL.EXE; RULAUNCH.EXE; RTVSCN95.EXE; RTVSCAN.EXE; RSHELL.EXE; RRGUARD.EXE; RESCUE32.EXE; RESCUE.EXE; REGEDT32.EXE; REGEDIT.EXE; REGED.EXE; REALMON.EXE; RCSYNC.EXE; RB32.EXE; RAY.EXE; RAV8WIN32ENG.EXE; RAV7WIN.EXE; RAV7.EXE; RAPAPP.EXE; QSERVER.EXE; QCONSOLE.EXE; PVIEW95.EXE; PUSSY.EXE; PURGE.EXE; PSPF.EXE; PROTECTX.EXE; PROPORT.EXE; PROGRAMAUDITOR.EXE; PROCEXPLORERV1.0.EXE; PROCESSMONITOR.EXE; PROCDUMP.EXE; PRMVR.EXE; PRMT.EXE; PRIZESURFER.EXE; PPVSTOP.EXE; PPTBC.EXE; PPINUPDT.EXE; POWERSCAN.EXE; PORTMONITOR.EXE; PORTDETECTIVE.EXE; POPSCAN.EXE; POPROXY.EXE; POP3TRAP.EXE; PLATIN.EXE; PINGSCAN.EXE; PGMONITR.EXE; PFWADMIN.EXE; PF2.EXE; PERSWF.EXE; PERSFW.EXE; PERISCOPE.EXE; PENIS.EXE; PDSETUP.EXE; PCSCAN.EXE; PCIP10117_0.EXE; PCFWALLICON.EXE; PCDSETUP.EXE; PCCWIN98.EXE; PCCWIN97.EXE; PCCNTMON.EXE; PCCIOMON.EXE; PCC2K_76_1436.EXE; PCC2002S902.EXE; PAVW.EXE; PAVSCHED.EXE; PAVPROXY.EXE; PAVCL.EXE; PATCH.EXE; PANIXK.EXE; PADMIN.EXE; OUTPOSTPROINSTALL.EXE; OUTPOSTINSTALL.EXE; OUTPOST.EXE; OTFIX.EXE; OSTRONET.EXE; OPTIMIZE.EXE; ONSRVR.EXE; OLLYDBG.EXE; NWTOOL16.EXE; NWSERVICE.EXE; NWINST4.EXE; NVSVC32.EXE; NVC95.EXE; NVARCH16.EXE; NUPGRADE.EXE; NUI.EXE; NTXconfig.EXE; NTVDM.EXE; NTRTSCAN.EXE; NT.EXE; NSUPDATE.EXE; NSTASK32.EXE; NSSYS32.EXE; NSCHED32.EXE; NPSSVC.EXE; NPSCHECK.EXE; NPROTECT.EXE; NPFMESSENGER.EXE; NPF40_TW_98_NT_ME_2K.EXE; NOTSTART.EXE; NORTON_INTERNET_SECU_3.0_407.EXE; NORMIST.EXE; NOD32.EXE; NMAIN.EXE; NISUM.EXE; NISSERV.EXE; NETUTILS.EXE; NETSTAT.EXE; NETSPYHUNTER-1.2.EXE; NETSCANPRO.EXE; NETMON.EXE; NETINFO.EXE; NETD32.EXE; NETARMOR.EXE; NEOWATCHLOG.EXE; NEOMONITOR.EXE; NDD32.EXE; NCINST4.EXE; NC2000.EXE; NAVWNT.EXE; NAVW32.EXE; NAVSTUB.EXE; NAVNT.EXE; NAVLU32.EXE; NAVENGNAVEX15.NAVLU32.EXE; NAVDX.EXE; NAVAPW32.EXE; NAVAPSVC.EXE; NAVAP.NAVAPSVC.EXE; AUTO-PROTECT.NAV80TRY.EXE; NAV.EXE; N32SCANW.EXE; MWATCH.EXE; MU0311AD.EXE; MSVXD.EXE; MSSYS.EXE; MSSMMC32.EXE; MSMSGRI32.EXE; MSMGT.EXE; MSLAUGH.EXE; MSINFO32.EXE; MSIEXEC16.EXE; MSDOS.EXE; MSDM.EXE; MSCONFIG.EXE; MSCMAN.EXE; MSCCN32.EXE; MSCACHE.EXE; MSBLAST.EXE; MSBB.EXE; MSAPP.EXE; MRFLUX.EXE; MPFTRAY.EXE; MPFSERVICE.EXE; MPFAGENT.EXE; MOSTAT.EXE; MOOLIVE.EXE; MONITOR.EXE; MMOD.EXE; MINILOG.EXE; MGUI.EXE; MGHTML.EXE; MGAVRTE.EXE; MGAVRTCL.EXE; MFWENG3.02D30.EXE; MFW2EN.EXE; MFIN32.EXE; MD.EXE; MCVSSHLD.EXE; MCVSRTE.EXE; MCUPDATE.EXE; MCTOOL.EXE; MCSHIELD.EXE; MCMNHDLR.EXE; MCAGENT.EXE; MAPISVC32.EXE; LUSPT.EXE; LUINIT.EXE; LUCOMSERVER.EXE; LUAU.EXE; LUALL.EXE; LSETUP.EXE; LORDPE.EXE; LOOKOUT.EXE; LOCKDOWN2000.EXE; LOCKDOWN.EXE; LOCALNET.EXE; LOADER.EXE; LNETINFO.EXE; LDSCAN.EXE; LDPROMENU.EXE; LDPRO.EXE; LDNETMON.EXE; LAUNCHER.EXE; KILLPROCESSSETUP161.EXE; KERNEL32.EXE; KERIO-WRP-421-EN-WIN.EXE; KERIO-WRL-421-EN-WIN.EXE; KERIO-PF-213-EN-WIN.EXE; KEENVALUE.EXE; KAZZA.EXE; KAVPF.EXE; KAVPERS40ENG.EXE; KAVLITE40ENG.EXE; JEDI.EXE; JDBGMRG.EXE; JAMMER.EXE; ISTSVC.EXE; ISRV95.EXE; ISASS.EXE; IRIS.EXE; IPARMOR.EXE; IOMON98.EXE; INTREN.EXE; INTDEL.EXE; INIT.EXE; INFWIN.EXE; INFUS.EXE; INETLNFO.EXE; IFW2000.EXE; IFACE.EXE; IEXPLORER.EXE; IEDRIVER.EXE; IEDLL.EXE; IDLE.EXE; ICSUPPNT.EXE; ICSUPP95.EXE; ICMON.EXE; ICLOADNT.EXE; ICLOAD95.EXE; IBMAVSP.EXE; IBMASN.EXE; IAMSTATS.EXE; IAMSERV.EXE; IAMAPP.EXE; HXIUL.EXE; HXDL.EXE; HWPE.EXE; HTPATCH.EXE; HTLOG.EXE; HOTPATCH.EXE; HOTACTIO.EXE; HBSRV.EXE; HBINST.EXE; HACKTRACERSETUP.EXE; GUARDDOG.EXE; GUARD.EXE; GMT.EXE; GENERICS.EXE; GBPOLL.EXE; GBMENU.EXE; GATOR.EXE; FSMB32.EXE; FSMA32.EXE; FSM32.EXE; FSGK32.EXE; FSAV95.EXE; FSAV530WTBYB.EXE; FSAV530STBYB.EXE; FSAV32.EXE; FSAV.EXE; FSAA.EXE; FRW.EXE; FPROT.EXE; FP-WIN_TRIAL.EXE; FP-WIN.EXE; FNRB32.EXE; FLOWPROTECTOR.EXE; FIREWALL.EXE; FINDVIRU.EXE; FIH32.EXE; FCH32.EXE; FAST.EXE; FAMEH32.EXE; F-STOPW.EXE; F-PROT95.EXE; F-PROT.EXE; F-AGNT95.EXE; EXPLORE.EXE; EXPERT.EXE; EXE.AVXW.EXE; EXANTIVIRUS-CNET.EXE; EVPN.EXE; ETRUSTCIPE.EXE; ETHEREAL.EXE; ESPWATCH.EXE; ESCANV95.EXE; ESCANHNT.EXE; ESCANH95.EXE; ESAFE.EXE; ENT.EXE; EMSW.EXE; EFPEADM.EXE; ECENGINE.EXE; DVP95_0.EXE; DVP95.EXE; DSSAGENT.EXE; DRWEBUPW.EXE; DRWEB32.EXE; DRWATSON.EXE; DPPS2.EXE; DPFSETUP.EXE; DPF.EXE; DOORS.EXE; DLLREG.EXE; DLLCACHE.EXE; DIVX.EXE; DEPUTY.EXE; DEFWATCH.EXE; DEFSCANGUI.EXE; DEFALERT.EXE; DCOMX.EXE; DATEMANAGER.EXE; Claw95.EXE; CWNTDWMO.EXE; CWNB181.EXE; CV.EXE; CTRL.EXE; CPFNT206.EXE; CPF9X206.EXE; CPD.EXE; CONNECTIONMONITOR.EXE; CMON016.EXE; CMGRDIAN.EXE; CMESYS.EXE; CMD32.EXE; CLICK.EXE; CLEANPC.EXE; CLEANER3.EXE; CLEANER.EXE; CLEAN.EXE; CLAW95CF.EXE; CFINET32.EXE; CFINET.EXE; CFIAUDIT.EXE; CFIADMIN.EXE; CFGWIZ.EXE; CFD.EXE; CDP.EXE; CCPXYSVC.EXE; CCEVTMGR.EXE; CCAPP.EXE; BVT.EXE; BUNDLE.EXE; BS120.EXE; BRASIL.EXE; BPC.EXE; BORG2.EXE; BOOTWARN.EXE; BOOTCONF.EXE; BLSS.EXE; BLACKICE.EXE; BLACKD.EXE; BISP.EXE; BIPCPEVALSETUP.EXE; BIPCP.EXE; BIDSERVER.EXE; BIDEF.EXE; BELT.EXE; BEAGLE.EXE; BD_PROFESSIONAL.EXE; BARGAINS.EXE; BACKWEB.EXE; AVXQUAR.EXE; AVXMONITORNT.EXE; AVXMONITOR9X.EXE; AVWUPSRV.EXE; AVWUPD32.EXE; AVWUPD.EXE; AVWINNT.EXE; AVWIN95.EXE; AVSYNMGR.EXE; AVSCHED32.EXE; AVPUPD.EXE; AVPTC32.EXE; AVPM.EXE; AVPDOS32.EXE; AVPCC.EXE; AVP32.EXE; AVP.EXE; AVNT.EXE; AVLTMAIN.EXE; AVKWCTl9.EXE; AVKSERVICE.EXE; AVKSERV.EXE; AVKPOP.EXE; AVGW.EXE; AVGUARD.EXE; AVGSERV9.EXE; AVGSERV.EXE; AVGNT.EXE; AVGCTRL.EXE; AVGCC32.EXE; AVE32.EXE; AVCONSOL.EXE; AUTOUPDATE.EXE; AUTOTRACE.EXE; AUTODOWN.EXE; AUPDATE.EXE; AU.EXE; ATWATCH.EXE; ATUPDATER.EXE; ATRO55EN.EXE; ATGUARD.EXE; ATCON.EXE; ARR.EXE; APVXDWIN.EXE; APLICA32.EXE; APIMONITOR.EXE; ANTS.EXE; ANTIVIRUS.EXE; ANTI-TROJAN.EXE; AMON9X.EXE; ALOGSERV.EXE; ALEVIR.EXE; ALERTSVC.EXE; AGENTW.EXE; AGENTSVR.EXE; ADVXDWIN.EXE; ADAWARE.EXE; ACKWIN32.EXE Stealing It tries to steal the following information: – Windows Product ID – The following CD keys: • WinLicenseVersion • WinLicenseDriverVersion – It uses a network sniffer that checks for the following strings: • :.l • :%x Miscellaneous Mutex: It creates the following Mutex: • SKY2K4 Anti debugging It checks if the following file is present: • SoftIce File details Programming language: The malware program was written in MS Visual C++. Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
Description inserted by Monica Ghitun on Tuesday, December 12, 2006 Description updated by Monica Ghitun on Wednesday, December 13, 2006
Back
.
.
.
.