Worm/Rbot.SC - Worm

See also

Summary

Full description

Statistics

Virus:	Worm.Rbot.SC
Date discovered:	05/08/2005
Type:	Worm
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	Yes
File size:	115.712 Bytes
MD5 checksum:	841bd2641ee5b9b2cebab37f1cb0b86e
VDF version:	6.31.1.66

General Method of propagation:
   • Local network

Aliases:
   • Symantec: W32.Spybot.Worm
   • Mcafee: W32/Sdbot.worm.gen
   • Kaspersky: Backdoor.Win32.Rbot.gen
   • TrendMicro: WORM_SPYBOT.AZV
   • Sophos: W32/Rbot-Fam
   • Panda: W32/Gaobot.BJY.worm
   • Grisoft: IRC/BackDoor.SdBot.74.BP
   • VirusBuster: Worm.RBot.CCF
   • Bitdefender: Worm.Gaobot.BJY

Platforms / OS:
   • Windows 2000
   • Windows XP

Side effects:
   • Registry modification
   • Makes use of software vulnerability
   • Steals information

Files It copies itself to the following location:
• %SYSDIR%\wvsvc.exe

It deletes the initially executed copy of itself.

Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "wvsvc"="wvsvc.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "wvsvc"="wvsvc.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "wvsvc"="wvsvc.exe"

The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "wvsvc"="wvsvc.exe"

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Ole]
   Old value:
   • "EnableDCOM"="Y"
   New value:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • "restrictanonymous"=dword:00000000
   • "restrictanonymoussam"=dword:00000001
   New value:
   • "restrictanonymous"=dword:00000001
   • "restrictanonymoussam"=dword:00000001

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • C:$\Windows\System32
   • C:$\WINNT\System32
   • ADMIN$\System32
   • IPC$

It uses the following login information in order to gain access to the remote machine:

–Cached usernames and passwords.

– The following list of usernames:
   • access; admin; administrator; backup; barbara; blank; brian; bruce;
      capitol; cisco; compaq; control; default; domain; exchange; exchnge;
      frank; freddy; george; guest; headoffice; heaven; homeuser; internet;
      internet; intranet; katie; login; nokia; oeminstall; office; orange;
      peter; siemens; spencer; staff; student; student1; susan; teacher;
      technical; turnip; yellow

– The following list of passwords:
   • 123; 1234; 12346; 123467; 1234678; 12346789; 123467890; accounting;
      accounts; changeme; databasepass; databasepassword; db1234; dbpass;
      dbpassword; default; domain; domainpass; domainpassword;
      domainpassword; hell; hello; loginpass; outlook; pass1234; passwd;
      password; password1; qwerty; server; system; sqlpass; userpassword;
      win2000; win2k; win98; windows; winpass; winnt; winxp

It makes use of the following Exploits:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS04-011 (LSASS Vulnerability)

IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.

Infection process:
Creates a TFTP script on the compromised machine in order to download the malware to the remote location.

Slow down:
– Depending on your bandwidth you might notice a fall in your network speed. As the network activity for this malware is medium you might not take notice of this if you have a broadband connection.
– You might also notice a slow down due to the multiple network threads created.

IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: real.prof**********.us
Port: 62173
Channel: #ra
Nickname: rF-%random character string%

– This malware has the ability to collect and send information such as:
    • Cached passwords
    • CPU speed
    • Free disk space
    • Free memory
    • Information about the network
    • Information about running processes
    • Size of memory
    • Username

– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS SYN flood
    • Launch DDoS TCP flood
    • Launch DDoS UDP flood
    • Disable DCOM
    • Download file
    • Edit registry
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Kill process
    • Open remote shell
    • Restart system
    • Send emails

Backdoor The following ports are opened:

– %SYSDIR%\wvsvc.exe on UDP port 69 in order to provide a TFTP server.
– %SYSDIR%\wvsvc.exe on a random TCP port in order to provide a remote Shell.

Stealing It tries to steal the following information:
– Windows Product ID

– The following CD keys:
   • Battlefield 1942; Battlefield 1942 (Road To Rome); Battlefield 1942
      (Secret Weapons of WWII); Battlefield Vietnam; Black and White; Call
      of Duty; Chrome; Command and Conquer: Generals; Command and Conquer:
      Generals (Zero Hour); Command and Conquer: Red Alert; Command and
      Conquer: Red Alert 2; Command and Conquer: Tiberian Sun;
      Counter-Strike (Retail); FarCry; FIFA 2002; FIFA 2003; Freedom Force;
      Global Operations; Ground Control II; Gunman Chronicles; Half-Life;
      Hidden & Dangerous 2; IGI 2: Covert Strike; Industry Giant 2; James
      Bond 007: Nightfire; Joint Operations: Typhoon Rising; Legends of
      Might and Magic; Medal of Honor: Allied Assault; Medal of Honor:
      Allied Assault: Breakthrough; Medal of Honor: Allied Assault:
      Spearhead; Nascar Racing 2002; Nascar Racing 2003; Need For Speed Hot
      Pursuit 2; Need For Speed:Underground; Neverwinter Nights (Hordes of
      the Underdark); Neverwinter Nights (Shadows of Undrentide); NHL 2002;
      NHL 2003; NOX; Rainbow Six III RavenShield; Shogun Total War - Warlord
      Edition; Soldier of Fortune II - Double Helix; Soldiers Of Anarchy;
      The Gladiators; Unreal Tournament 2003; Unreal Tournament 2004

– A logging routine is started after keystrokes are typed that match one of the following strings:
   • Admin; advscan; asc; auth; hashin; id; Login; login; pass; PASS; pass;
      PASSWORD; Password; paypal; paypal; paypal.com; scan.all; scan.start;
      scan.startall; secure; start.scan; syn; USER; user

Miscellaneous Mutex:
It creates the following Mutex:
• ra

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• PE_Patch.Morphine; Morphine; ASPack

See a brief description here.

Description inserted by Irina Boldea on Thu, 04 Aug 2005 16:05 (GMT+1)
Description updated by Oliver Auerbach on Fri, 19 Aug 2005 22:30 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back