Worm/Rbot.XN - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/Rbot.XN
Date discovered:	08/08/2005
Type:	Worm
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	Yes
File size:	499.712 Bytes
MD5 checksum:	336e4ef735bf545151b5cdd11ddd1d1d
VDF version:	6.31.01.68 - Mon, 08 Aug 2005 11:39 (GMT+1)

General Methods of propagation:
   • Local network
   • Mapped network drives

Aliases:
   • Kaspersky: Backdoor.Win32.Rbot.xn
   • TrendMicro: WORM_RBOT.BXP
   • Sophos: W32/Rbot-AOK
   • Grisoft: IRC/BackDoor.SdBot.HFN
   • VirusBuster: virus Worm.RBot.CFJ
   • Bitdefender: Backdoor.Rbot.XN

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Uses its own Email engine
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

Files It copies itself to the following location:
• %SYSDIR%\%three-digit random character string%.exe

It deletes the initially executed copy of itself.

Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Windows ASN Service"="%executed file%"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "Windows ASN Service"="%executed file%"

The following registry keys are added:

– [HKLM\SOFTWARE\Licenses]
   • "{R7C0DB872A3F777C0}"=%hex values%
   • "{K7C0DB872A3F777C0}"=%hex values%
   • "{I5D8DDAB8BD72C6E7}"=%hex values%
   • "{05D8DDAB8BD72C6E7}"=%hex values%

– [HKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters]
   • "TrapPollTimeMilliSecs"=dword:00003a98

– [HKCR\CLSID\{22A6FF82-B3E0-94BB-5FCD-EA067B86810F}]

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Ole]
   Old value:
   • "EnableDCOM"=%user defined settings%
   New value:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • "restrictanonymous"=%user defined settings%
   • "restrictanonymoussam"=%user defined settings%
   New value:
   • "restrictanonymous"=dword:00000001
   • "restrictanonymoussam"=dword:00000001

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • IPC$
   • ADMIN$
   • C$
   • C:\
   • D$
   • D:\

It uses the following login information in order to gain access to the remote machine:

– A list of usernames and passwords:
   • 12; 123; 1234; 2000; 2001; 2002; 2003; 2004; 12345; 123456; 1234567;
      12345678; 123456789; 1234567890; access; accounting; accounts; adm;
      admin; administrador; administrat; administrateur; administrator;
      admins; asd; backup; bill; bitch; blank; bob; brian; changeme; chris;
      cisco; compaq; computer; control; data; database; databasepass;
      databasepassword; db1; db1234; db2; dba; dbpass; dbpassword; default;
      dell; demo; domain; domainpass; domainpassword; eric; exchange; fred;
      fuck; george; god; guest; hell; hello; home; homeuser; hp; ian; ibm;
      internet; intranet; jen; joe; john; kate; katie; lan; lee; linux;
      login; loginpass; luke; mail; main; mary; mike; neil; nokia; none;
      null; oem; oeminstall; oemuser; office; oracle; orainstall; outlook;
      owner; pass; pass1234; passwd; password; password1; peter; pwd; qaz;
      qwe; qwerty; root; sa; sam; server; sex; siemens; slut; sql;
      sqlpassoainstall; staff; student; sue; susan; system; teacher;
      technical; test; unix; user; web; win2000; win2k; win98; windows;
      winnt; winpass; winxp; www; wwwadmin; xp; zxc

Exploit:
It makes use of the following Exploits:
– MS03-026 (Buffer Overrun in RPC Interface)
– MS03-039 (Buffer Overrun in RPCSS Service)
– MS03-049 (Buffer Overrun in the Workstation Service)
– MS04-007 (ASN.1 Vulnerability)
– MS04-011 (LSASS Vulnerability)

IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: 94.amdweb**********.com
Port: 6667
Server password: R4DRR4KZ6ZD3
Channel: #asn
Nickname: sMB-%six-digit random character string%
Password: NdIVyk5D

– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Details about drivers
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Information about running processes
    • Size of memory
    • Username
    • Users' local activity
    • Information about the Windows operating system

– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS UDP flood
    • Disable DCOM
    • Disable network shares
    • disconnect from IRC server
    • Download file
    • Enable DCOM
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Kill process
    • Leave IRC channel
    • Open remote shell
    • Perform DDoS attack
    • Perform network scan
    • Register a service
    • Restart system
    • Send emails
    • Shut down system
    • Terminate malware
    • Terminate process
    • Updates itself
    • Upload file

Miscellaneous Mutex:
It creates the following Mutexes:
• rzasn
• RALAAD91808

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• Armadillo

See a brief description here.

Description inserted by Daniel Constantin on Tue, 04 Apr 2006 12:14 (GMT+1)
Description updated by Daniel Constantin on Tue, 04 Apr 2006 14:41 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back