English
Deutsch
Francais
Español
Italian
Home
Virus Info
Worm/Rbot.pac.8
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/Rbot.pac.8 - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/Rbot.pac.8
Date discovered:
21/09/2005
Type:
Worm
In the wild:
Yes
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium
Static file:
Yes
File size:
138.240 Bytes
MD5 checksum:
10e18e783f3c5e84ee0375e783ecf77b
VDF version:
6.32.0.17
General
Methods of propagation:
• Local network
• Mapped network drives
Aliases:
• Symantec: W32.Spybot.Worm
• Mcafee: W32/Sdbot.worm.gen.i
• Kaspersky: Backdoor.Win32.Rbot.pac
• Bitdefender: Backdoor.Rbot.PAC
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Disable security applications
• Lowers security settings
• Registry modification
• Steals information
• Third party control
Files
It copies itself to the following location:
•
%SYSDIR%
\updates.pif
Registry
The following registry keys are added in order to run the processes after reboot:
– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
• "System Updates Service" = "updates.pif"
– [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
• "System Updates Service" = "updates.pif"
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "System Updates Service" = "updates.pif"
– [HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
• "System Updates Service" = "updates.pif"
The following registry keys are added:
– [HKLM\Software\Microsoft\OLE]
• "System Updates Service" = "updates.pif"
– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
• "System Updates Service" = "updates.pif"
– [HKCU\Software\Microsoft\OLE]
• "System Updates Service" = "updates.pif"
– [HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
• "System Updates Service" = "updates.pif"
Network Infection
In order to ensure its propagation the malware attemps to connect to other machines as described below.
It drops copies of itself to the following network shares:
• C:\
• ADMIN$
• IPC$
Exploit:
It makes use of the following Exploits:
–
MS03-026
(Buffer Overrun in RPC Interface)
–
MS03-039
(Buffer Overrun in RPCSS Service)
–
MS03-049
(Buffer Overrun in the Workstation Service)
–
MS04-007
(ASN.1 Vulnerability)
–
MS05-039
(Vulnerability in Plug and Play)
IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.
Infection process:
Creates a TFTP or FTP script on the compromised machine in order to download the malware to the remote location.
IRC
Server: **********omfgwtfbbq.biz
Port: 4654
Server password: jew1sh
Channel: #.wtf5
Nickname:
%random character string%
Password: stfubitch
Server: **********omfgwtfbbq.biz
Port: 65529
Server password: jew1sh
Channel: #.wtf5
Nickname:
%random character string%
Password: stfubitch
Server: **********urgentupdate.net
Port: 1427
Server password: jew1sh
Channel: #.wtf5
Nickname:
%random character string%
Password: stfubitch
Server: **********urgentupdate.net
Port: 65528
Server password: jew1sh
Channel: #.wtf5
Nickname:
%random character string%
Password: stfubitch
– This malware has the ability to collect and send information such as:
• CPU speed
• Current user
• Details about drivers
• Free disk space
• Free memory
• Information about the network
• Platform ID
• Size of memory
• Username
– Furthermore it has the ability to perform actions such as:
• connect to IRC server
• Launch DDoS ICMP flood
• Disable DCOM
• Disable network shares
• Download file
• Enable DCOM
• Enable network shares
• Execute file
• Join IRC channel
• Kill process
• Leave IRC channel
• Open remote shell
• Perform network scan
• Perform port redirection
• Register a service
• Restart system
• Terminate malware
• Terminate process
• Visit a website
File details
Programming language:
The malware program was written in MS Visual C++.
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
See a brief description
here
.
Description inserted by Iulian Popa on Wed, 21 Sep 2005 15:15 (GMT+1)
Description updated by Iulian Popa on Wed, 28 Sep 2005 15:33 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Mytob.AT
Worm/Mytob.U
TR/Crypt.CFI.Gen
Worm/Netsky.J
Worm/Mytob.AD
HEUR/PDF.Obfuscated
SPR/mIRC.Gen
TR/Crypt.UPKM.Gen
JS/Dldr.Agent.cex
TR/Dldr.Tiny.bqw
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/Rbot.pac.8
Print this page
.gif)
