English
Deutsch
Francais
Español
Italian
Home
Virus Info
Worm/RBot.139264.2
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/RBot.139264.2 - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/RBot.139264.2
Date discovered:
02/09/2005
Type:
Worm
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium
Static file:
Yes
File size:
139.264 Bytes
MD5 checksum:
3fef0de491e96a3c15d6bd0be1e1841e
VDF version:
6.31.1.196
General
Method of propagation:
• Local network
Aliases:
• Symantec: W32.Spybot.Worm
• Mcafee: W32/Sdbot.worm.gen.ar
• VirusBuster: Worm.Rbot.CIB
• Bitdefender: Backdoor.Rbot.AAG
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Downloads a malicious file
• Registry modification
• Makes use of software vulnerability
• Steals information
• Third party control
Files
It copies itself to the following location:
• %sysdir%\windows.pif
It deletes the initially executed copy of itself.
It deletes the following file:
• %sysdir%\windows.pif
The following file is created:
– A file that is for temporary use and it might be deleted afterwards:
•
%random character string%
.exe
– %temp%\del.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
It tries to download a file:
– The locations are the following:
• http://**********.79.160.8/ts32.dll
• http://**********.79.160.8/sys.dll
It is saved on the local hard drive under: %sysdir%\msdos.pif Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.
Registry
The following registry keys are added in order to run the processes after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "MSDOS Security Service"="msdos.pif"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
• "MSDOS Security Service"="msdos.pif"
The following registry keys are added in order to load the services after reboot:
– [HKLM\SOFTWARE\Microsoft\Ole]
• "MSDOS Security Service"="msdos.pif"
– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
• "MSDOS Security Service"="msdos.pif"
The following registry keys are changed:
– [HKLM\SOFTWARE\Microsoft\Ole]
Old value:
• "EnableDCOM"=
%user defined settings%
New value:
• "EnableDCOM"="N"
– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
Old value:
• "restrictanonymous"=
%user defined settings%
New value:
• "restrictanonymous"=dword:00000001
Network Infection
In order to ensure its propagation the malware attemps to connect to other machines as described below.
It drops copies of itself to the following network shares:
• admin$
• Admin$\system32
• ipc$
Exploit:
It makes use of the following Exploits:
–
MS03-026
(Buffer Overrun in RPC Interface)
–
MS03-049
(Buffer Overrun in the Workstation Service)
–
MS04-007
(ASN.1 Vulnerability)
–
MS04-011
(LSASS Vulnerability)
–
MS05-039
(Vulnerability in Plug and Play)
IP address generation:
It creates random IP addresses and tries to establish a connection with them.
Infection process:
Creates a TFTP or FTP script on the compromised machine in order to download the malware to the remote location.
IRC
To deliver system information and to provide remote control it connects to the following IRC Servers:
Server: **********.security.security32.biz
Port: 65528
Server password: gringle
Channel: #udz#
Nickname:
%eight-digit random character string%
Password: shabby123
Server: **********.security.updates32.biz
Port: 4654
Server password: gringle
Channel: #udz#
Nickname:
%eight-digit random character string%
Password: shabby123
Server: **********.security.security32.biz
Port: 4564
Server password: gringle
Channel: #udz#
Nickname:
%eight-digit random character string%
Password: shabby123
Server: **********.security.updates32.biz
Port: 65529
Server password: gringle
Channel: #udz#
Nickname:
%eight-digit random character string%
Password: shabby123
Server: **********.service.security32.biz
Port: 65528
Server password: gringle
Channel: #udz#
Nickname:
%eight-digit random character string%
Password: shabby123
Server: **********.service.updates32.biz
Port: 4654
Server password: gringle
Channel: #udz#
Nickname:
%eight-digit random character string%
Password: shabby123
Server: **********.service.security32.biz
Port: 4564
Server password: gringle
Channel: #udz#
Nickname:
%eight-digit random character string%
Password: shabby123
Server: **********.service.updates32.biz
Port: 65529
Server password: gringle
Channel: #udz#
Nickname:
%eight-digit random character string%
Password: shabby123
Server: **********.security.security32.biz
Port: 65528
Server password: gringle
Channel: #tests
Nickname:
%eight-digit random character string%
Password: -s
Server: **********.security.updates32.biz
Port: 4654
Server password: gringle
Channel: #tests
Nickname:
%eight-digit random character string%
Password: -s
Server: **********.security.security32.biz
Port: 4564
Server password: gringle
Channel: #tests
Nickname:
%eight-digit random character string%
Password: -s
Server: **********.security.updates32.biz
Port: 65529
Server password: gringle
Channel: #tests
Nickname:
%eight-digit random character string%
Password: -s
Server: **********.service.security32.biz
Port: 65528
Server password: gringle
Channel: #tests
Nickname:
%eight-digit random character string%
Password: -s
Server: **********.service.updates32.biz
Port: 4654
Server password: gringle
Channel: #tests
Nickname:
%eight-digit random character string%
Password: -s
Server: **********.service.security32.biz
Port: 4564
Server password: gringle
Channel: #tests
Nickname:
%eight-digit random character string%
Password: -s
Server: **********.service.updates32.biz
Port: 65529
Server password: gringle
Channel: #tests
Nickname:
%eight-digit random character string%
Password: -s
– This malware has the ability to collect and send information such as:
• CPU speed
• Current user
• Free disk space
• Free memory
• Malware uptime
• Platform ID
• Size of memory
• System directory
– Furthermore it has the ability to perform actions such as:
• Launch DDoS SYN flood
• Disable DCOM
• Disable network shares
• disconnect from IRC server
• Download file
• Enable DCOM
• Enable network shares
• Execute file
• Join IRC channel
• Leave IRC channel
• Open remote shell
• Perform network scan
• Start spreading routine
• Updates itself
• Upload file
Miscellaneous
Mutex:
It creates the following Mutex:
• msdoss
File details
Programming language:
The malware program was written in MS Visual C++.
See a brief description
here
.
Description inserted by Iulia Diaconescu on Fri, 02 Sep 2005 17:33 (GMT+1)
Description updated by Iulia Diaconescu on Mon, 19 Sep 2005 14:30 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Mytob.AT
Worm/Mytob.U
TR/Crypt.CFI.Gen
Worm/Netsky.J
Worm/Mytob.AD
HEUR/PDF.Obfuscated
SPR/mIRC.Gen
TR/Crypt.UPKM.Gen
JS/Dldr.Agent.cex
TR/Dldr.Tiny.bqw
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/RBot.139264.2
Print this page
.gif)
