WORM_RBOT.BCT

Malware type: Worm

Aliases: Backdoor.Win32.Rbot.gen (Kaspersky), W32/Sdbot.worm.gen.bh (McAfee), W32.Spybot.Worm (Symantec), Worm/Gaobot.148992 (Avira),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This memory-resident worm spreads via network shares. It exploits certain vulnerabilities to propagate across networks. It takes advantage of the following Windows vulnerabilities:

  • IIS5/WEBDAV Buffer Overflow vulnerability
  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • Windows LSASS vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

It uses a list of user names and passwords to log on to target network shares, where it then attempts to drop a copy of itself.

It has backdoor capabilities, which allows it to act as a server program controlled by Internet Relay Chat (IRC). This allows a remote user to access the infected system and perform malicious commands. It can also steal the Windows product ID and CD keys of popular game applications.

This worm also has the ability to launch denial of service (DoS) attacks to certain locations using various flooding methods. It can also terminate certain processes, most of which are related to other malware programs.

For additional information about this threat, see:

Description created: Apr. 12, 2005 7:51:45 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 148,992 Bytes

Ports used: Varies

Initial samples received on: Apr 11, 2005

Vulnerability used:  (MS04-011) Security Update for Microsoft Windows (835732), (MS03-007) Unchecked Buffer In Windows Component Could Cause Server Compromise (815021), (MS03-026) Buffer Overrun In RPC Interface Could Allow Code Execution

Payload 1: Compromises system security

Payload 2: Steals CD keys

Details:

Installation and Autostart Technique

Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder as the following file:

    DOEZS.EXE

This dropped file has its attributes set to Hidden, Read Only, and System to avoid detection.

It adds the following registry entries to enable its dropped copy to run at every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft UpMachine = "doezs.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft UpMachine = "doezs.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Microsoft UpMachine = "doezs.exe"

Other Registry Modifications

This worm also modifies the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
EnableDCOM = "Y"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\Lsa
restrictanonymous = "dword:00000000"

These registry entries are changed into the following, respectively:

HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
EnableDCOM = "N"

HKEY_LOCAL_MACHINE\System\CurrentControlSet
Control\Lsa
restrictanonymous = "dword:00000001"

Network Propagation

This worm spreads via network shares. It attempts to drop a copy of itself to the following shared folders within the network:

  • ADMIN$\system32
  • C$\Windows\system32
  • C$\WINNT\system32

If these shares are not readily accessible, it uses the following hardcoded list of user names and weak passwords to gain access to target shares:

  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • access
  • accounting
  • accounts
  • administrador
  • administrat
  • administrateur
  • admins
  • backup
  • bitch
  • blank
  • brian
  • changeme
  • chris
  • cisco
  • compaq
  • computer
  • control
  • database
  • databasepass
  • databasepassword
  • db1234
  • dbpass
  • dbpassword
  • default
  • domain
  • domainpass
  • domainpassword
  • exchange
  • george
  • guest
  • hello
  • homeuser
  • internet
  • intranet
  • katie
  • linux
  • login
  • loginpass
  • nokia
  • oeminstall
  • oemuser
  • office
  • oracle
  • orainstall
  • outlook
  • owner
  • pass1234
  • passwd
  • password
  • password1
  • peter
  • qwerty
  • server
  • siemens
  • sqlpassoainstall
  • staff
  • student
  • susan
  • system
  • teacher
  • technical
  • win2000
  • win2k
  • win98
  • windows
  • winnt
  • winpass
  • winxp
  • wwwadmin

Exploits

This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP systems, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

Read more on this vulnerability from the following link:

This worm also exploits the IIS5/WEBDAV buffer overrun exploit affecting Windows NT platforms, which enables arbitrary codes to execute on the server.

The following link offers more information from Microsoft about this vulnerability:

It also takes advantage of the Windows LSASS vulnerability, which is a buffer overrun vulnerability that allows remote code execution. Once successfully exploited, a remote attacker is able to gain full control of the affected system.

For more information about this vulnerability, refer to the following Microsoft pages:

Backdoor Capabilities

This worm acts as a server program controlled by an Internet Relay Chat (IRC) bot, thus capable of certain backdoor activities. It allows a remote malicious user to perform the following commands on the affected system:

  • Perform denial of service (DoS) attacks
  • Download/transfer files via FTP
  • Open/download Web pages from the Internet
  • Perform keylogging routines
  • Sniff packets sent and received by infected users
  • Perform remote execution of programs
  • Terminate processes
  • Gather email addresses and system information
  • Steal CD Keys

Information Theft

This worm also steals the Windows product ID, as well as the CD keys of the following game applications:

  • Battlefield 1942
  • Battlefield 1942: Secret Weapons Of WWII
  • Battlefield 1942: The Road To Rome
  • Battlefield 1942: Vietnam
  • Black and White
  • Command and Conquer: Generals:
  • Command and Conquer: Generals: Zero Hour
  • Command and Conquer: Red Alert2
  • Command and Conquer: Tiberian Sun
  • Counter-Strike
  • FIFA 2002
  • FIFA 2003
  • Freedom Force
  • Global Operations
  • Gunman Chronicles
  • Half-Life
  • Hidden and Dangerous 2
  • IGI2: Covert Strike
  • Industry Giant 2
  • James Bond 007: Nightfire
  • Medal of Honor: Allied Assault:
  • Medal of Honor: Allied Assault: Breakthrough
  • Medal of Honor: Allied Assault: Spearhead
  • Nascar Racing 2002
  • Nascar Racing 2003
  • Need For Speed: Hot Pursuit 2
  • Need For Speed: Underground
  • Neverwinter Nights
  • NHL 2002
  • NHL 2003
  • Ravenshield
  • Shogun: Total War: Warlord Edition
  • Soldier Of Fortune 2
  • Soldiers Of Anarchy
  • The Gladiators
  • Unreal Tournament 2003
  • Unreal Tournament 2004

Process Termination

This worm can also terminate the following processes related to other known malware programs:

  • bbeagle.exe
  • d3dupdate.exe
  • i11r54n4.exe
  • irun4.exe
  • MSBLAST.exe
  • mscvb32.exe
  • navapw32.exe
  • navw32.exe
  • netstat.exe
  • PandaAVEngine.exe
  • Penis32.exe
  • rate.exe
  • ssate.exe
  • sysinfo.exe
  • SysMonXP.exe
  • teekids.exe
  • wincfg32.exetaskmon.exe
  • winsys.exe
  • winupd.exe
  • zapro.exe
  • zonealarm.exe

Denial of Service

This worm performs a denial of service (DoS) attack by using any of the following flooding methods:

  • ICMP Flood
  • PING flood
  • SYN flood
  • UDP flood

Analysis By: Ace Portuguez


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 2.560.00

Pattern release date: Apr 12, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Restarting in Safe Mode

• On Windows 98 and ME

  1. Restart your computer.
  2. Press the CTRL key until the startup menu appears.
  3. Choose the Safe Mode option then press Enter.

• On Windows NT (VGA mode)

  1. Click Start>Settings>Control Panel.
  2. Double-click the System icon.
  3. Click the Startup/Shutdown tab.
  4. Set the Show List field to 10 seconds and click OK to save this change.
  5. Shut down and restart your computer.
  6. Select VGA mode from the startup menu.

• On Windows 2000

  1. Restart your computer.
  2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

• On Windows XP

  1. Restart your computer.
  2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

Note: After performing all the solutions for the removal of this malware, please restart your system normally, and run your Trend Micro antivirus product.

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE all files detected as WORM_RBOT.BCT.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro�s free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    • On Windows 98 and ME, press
    CTRL%20ALT%20DELETE
    • On Windows NT, 2000, and XP, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Editing the Registry

This malware modifies the system's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 98 and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Backup, Edit, and Restore the Registry in Windows XP

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Microsoft UpMachine = "doezs.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    Microsoft UpMachine = "doezs.exe"
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  7. In the right panel, locate and delete the entry:
    Microsoft UpMachine = "doezs.exe"

Restoring Malware Registry Modifications

  1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Ole
  2. In the right panel, right-click the following entry and choose Modify:
    EnableDCOM = "N"
  3. In the Value data field, type the following:
    EnableDCOM = "Y"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>System>CurrentControlSet>
    Control>Lsa
  5. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Restoring EnableDCOM and RestrictAnonymous registry entries

This malware modifies EnableDCOM and RestrictAnonymous registry entries to a certain value. To know more about restoring these registries to their original values, please refer to these articles:

  1. COM security frequently asked questions
  2. How to disable DCOM support in Windows
  3. How to Use the RestrictAnonymous Registry Value in Windows 2000
  4. The "RestrictAnonymous" Registry Value May Break the Trust to a Windows 2000 Domain

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_RBOT.BCT. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Windows. Download and install the fix patch supplied by Microsoft in the following pages:

Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.