Threat Encyclopedia

WORM_RBOT.QP

Malware type: Worm

Aliases: Backdoor.Win32.Rbot.dl (Kaspersky), W32/Sdbot.worm.gen.t (McAfee), W32.Spybot.Worm (Symantec), TR/Crypt.XPACK.Gen (Avira), W32/Rbot-QP (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm propagates by dropping a copy of itself in accessible network shares by logging on using the account of the currently logged user on the infected system. It may also use a list of user names and passwords to gain access on target machines.

It has backdoor capabilities, and may execute commands coming from a remote malicious user. It also terminates several processes and steals CD keys of certain game applications.

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:

Description created: Oct. 8, 2004 12:58:37 AM GMT -0800
Description updated: Dec. 3, 2004 12:36:59 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 193,606 Bytes

Initial samples received on: Oct 8, 2004

Payload 1: Steals CD keys

Details:

Installation and Autostart Techniques

This worm may arrive on a system via the following network shares:

  • Admin$
  • Ipc$

Upon execution, it drops a copy of itself in the Windows system folder as the file XVSHOST.EXE.

It creates the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft Update Machine = �xvshost.exe�

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft Update Machine = �xvshost.exe�

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Microsoft Update Machine = �xvshost.exe�

Network Propagation

This worm propagates by dropping a copy of itself in accessible network shares by logging on using the account of the currently logged user on the infected system. It may also use the following list of user names and passwords to gain access on target machines:

  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • access
  • accounting
  • accounts
  • administrador
  • administrat
  • administrateur
  • administrator
  • admins
  • backup
  • bitch
  • blank
  • brian
  • changeme
  • chris
  • cisco
  • compaq
  • computer
  • control
  • database
  • databasepass
  • databasepassword
  • db1234
  • dbpass
  • dbpassword
  • default
  • domain
  • domainpass
  • domainpassword
  • exchange
  • george
  • guest
  • hello
  • homeuser
  • internet
  • intranet
  • katie
  • linux
  • login
  • loginpass
  • nokia
  • oeminstall
  • oemuser
  • office
  • oracle
  • orainstall
  • outlook
  • owner
  • pass1234
  • passwd
  • password
  • password1
  • peter
  • qwerty
  • server
  • siemens
  • sqlpassoainstall
  • staff
  • student
  • susan
  • system
  • teacher
  • technical
  • win2000
  • win2k
  • win98
  • windows
  • winnt
  • winpass
  • winxp
  • wwwadmin

Backdoor Capabilities

This worm connects to an Internet Relay Chat (IRC) server and waits for commands coming from a remote malicious user. It is able to perform the following commands:

  • Shut down the system
  • Start, delete, or disable a service
  • Get system status information
  • Get network information
  • Start a keylogger
  • Add/Delete network shared folders
  • Start a distributed denial of service (DDoS) attack against an IP address
  • Download updates of itself
  • Execute shell commands
  • Activate anti-antivirus and anti-firewall software

Process Termination

This worm also terminates the following processes, if found running on the system:

  • bbeagle.exe
  • d3dupdate.exe
  • i11r54n4.exe
  • irun4.exe
  • MSBLAST.exe
  • msblast.exe
  • msconfig.exe
  • mscvb32.exe
  • navapw32.exe
  • navw32.exe
  • netstat.exe
  • PandaAVEngine.exe
  • Penis32.exe
  • rate.exe
  • regedit.exe
  • ssate.exe
  • sysinfo.exe
  • SysMonXP.exe
  • teekids.exe
  • wincfg32.exetaskmon.exe
  • winsys.exe
  • winupd.exe
  • zapro.exe
  • zonealarm.exe

Information Theft

The worm steals the CD keys of the following games:

  • Battlefield 1942
  • Battlefield 1942 (Road To Rome)
  • Battlefield 1942 (Secret Weapons of WWII)
  • Battlefield Vietnam
  • Black and White
  • Chrome
  • Command and Conquer: Generals
  • Command and Conquer: Generals (Zero Hour)
  • Command and Conquer: Red Alert
  • Command and Conquer: Red Alert 2
  • Command and Conquer: Tiberian Sun
  • Counter-Strike (Retail)
  • FIFA 2002
  • FIFA 2003
  • Freedom Force
  • Global Operations
  • Gunman Chronicles
  • Half-Life
  • Hidden & Dangerous 2
  • IGI 2: Covert Strike
  • Industry Giant 2
  • James Bond 007: Nightfire
  • Legends of Might and Magic
  • Medal of Honor: Allied Assault
  • Medal of Honor: Allied Assault: Breakthrough
  • Medal of Honor: Allied Assault: Spearhead
  • Nascar Racing 2003Nascar Racing 2002
  • Need For Speed Hot Pursuit 2
  • Need For Speed: Underground
  • Neverwinter Nights
  • Neverwinter Nights (Hordes of the Underdark)
  • Neverwinter Nights (Shadows of Undrentide)
  • NHL 2002
  • NHL 2003
  • Rainbow Six III RavenShield
  • Shogun: Total War: Warlord Edition
  • Soldier of Fortune II - Double Helix
  • Soldiers Of Anarchy
  • The Gladiators
  • Unreal Tournament 2003
  • Unreal Tournament 2004

Other Details

This worm contains the following strings:

netninjaz_place
netmaniac was here
neTmaNiac




Analysis by: Juan Cesar Cuevas


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 2.278.03

Pattern release date: Oct 8, 2004


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Engine and Template.

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process.

  1. Open Windows Task Manager.
    � On Windows 95, 98, and ME, press
    CTRL+ALT+DELETE
    � On Windows NT, 2000, and XP, press
    CTRL+SHIFT+ESC, then click the Processes tab.
  2. In the list of running programs*, locate the process:
    Xvshost.exe
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Microsoft Update Machine = �xvshost.exe�
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  5. In the right panel, locate and delete the entry:
    Microsoft Update Machine = �xvshost.exe�
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  7. In the right panel, locate and delete the entry:
    Microsoft Update Machine = �xvshost.exe�
  8. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_RBOT.QP. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on