WORM_RBOT.BRX

Malware type: Worm

Aliases: W32.Randex, W32/Sdbot.worm, Win32.Rbot.CXU

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder as PHQGHUM.EXE.

It then creates registry entries to ensure its automatic execution at every Windows startup.

This worm also takes advantage of the Windows LSASS vulnerability to propagate. For more information regarding the said vulnerability, refer to the following Microsoft Web page:

This worm also has backdoor capabilities. Using a random port, it acts as an Internet Relay Chat (IRC) bot that connects to a remote IRC server and joins a specific IRC channel, where it listens for certain commands coming from a remote malicious user. It executes these commands locally on an affected machine, providing the remote user virtual control over the system.

It also launches a denial of service (DoS) attack against random IP addresses using various flood methods.

For additional information about this threat, see:

Description created: Jun. 30, 2005 9:22:22 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 52,224 Bytes

Ports used: Random

Initial samples received on: Jun 28, 2005

Compression type: PEPack

Vulnerability used:  (MS04-011) Security Update for Microsoft Windows (835732)

Payload 1: Launches denial of service (DoS) attack

Details:

Installation and Autostart Techniques

Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder as PHQGHUM.EXE.

It then creates the following registry entries to ensure its automatic execution at every Windows startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
VIEW POINT DRIVERS = "phqghum.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
VIEW POINT DRIVERS = "phqghum.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
VIEW POINT DRIVERS = "phqghum.exe"

Windows Exploit

This worm takes advantage of the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of an affected system. More information on this vulnerability is found in Microsoft Security Bulletin MS04-011.

Backdoor Capabilities

This worm has backdoor capabilities. Using a random port, it acts as an Internet Relay Chat (IRC) bot that connects to a remote IRC server. It then joins a specific IRC channel, where it listens for the following commands coming from a remote malicious user:

  • Perform a port scanning to detect vulnerable machines in a network
  • Open a command shell
  • Open files
  • Delete files
  • Disconnect and reconnect to IRC server
  • Remove and update itself
  • Download and execute files
  • Join an IRC channel
  • Perform basic IRC commands
  • Listen and execute commands
  • Redirect HTTP, HTTPS, SOCKS, and TCP streams
  • Obtain network and system information
  • Flush DNS
  • Terminate bots
  • Disconnect from an IRC channel
  • Send a message to the IRC server
  • Log keystrokes
  • Add/Remove default network shares
  • Get system information such as CPU speed, free memory, uptime, free disk space
  • Emulate an FTP server
  • List and terminate services and processes
  • Scan local area network for listening ports

It executes the said commands locally on the affected machine, thus providing the remote user virtual control over the affected system.

Denial of Service Attack

This worm launches a denial of service (DoS) attack against random IP addresses using any of the following flood methods:

  • ICMP
  • Ping
  • SYN
  • UDP

Other Details

This worms runs on Windows 2000 and XP.

Analysis By: Jeffrey F. Bernardino

Revision History:

First pattern file version: 5.954.03
First pattern file release date: Apr 08, 2009
 
Jun 30, 2005 - Modified Virus Report

SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 5.955.00

Pattern release date: Apr 8, 2009


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process.

  1. Open Windows Task Manager.
    On Windows 2000 and XP, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the process:
    phqghum.exe
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

Editing the Registry

This malware modifies the system's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    VIEW POINT DRIVERS = "phqghum.exe"
  4. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  5. In the right panel, locate and delete the entry:
    VIEW POINT DRIVERS = "phqghum.exe"
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  7. In the right panel, locate and delete the entry:
    VIEW POINT DRIVERS = "phqghum.exe"
  8. Close Registry Editor.

Important Windows XP Cleaning Instructions

Users running Windows XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete files detected as WORM_RBOT.BRX. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.

Applying Patches

This malware exploits a known vulnerability in Windows. Download and install the following fix patch supplied by Microsoft:

Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.