WORM_RBOT.CLC

Malware type: Worm

Aliases: Backdoor.Win32.Rbot.gen (Kaspersky), W32/Sdbot.worm.gen.h (McAfee), W32.Spybot.Worm (Symantec), TR/Crypt.ULPM.Gen (Avira), Mal/HckPk-A (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Infection Channel 1 : Propagates via network shares


Infection Channel 2 : Propagates via software vulnerabilities


Description: 

System infection by this worm is indicated by the presence of the file msaconfigurez.exe in the Windows system folder.

This worm modifies the system registry to enable its automatic execution at every system startup. It also disables the DCOM protocol and restricts anonymous access to the affected system.

It spreads by dropping a copy of itself in accessible network shares. If the said shares are password-protected, it gathers available lists of user names and passwords as well as uses hardcoded user names and passwords to gain access and proceed with its propagation routine.

This worm may also spread by taking advantage of machines vulnerable to the following Windows exploits:

  • The Buffer Overrun In RPCSS Service vulnerability, which allows an attacker to execute arbitrary code on a vulnerable machine with Local System account privileges and to have total control over the remote system. It also causes a denial of service (DoS) attack on a vulnerable machine. The application SVCHOST.EXE crashes upon receipt of this malformed DCOM packet. To exploit these vulnerabilities, the attacker sends a specially crafted RPC message to a vulnerable system. This vulnerability is discussed in detail in Microsoft Security Bulletin MS03-039.

  • The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Security Bulletin MS04-011.

  • The Windows Plug and Play vulnerability, which allows a malicious user or a malware to execute code on the system, giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes. This vulnerability is discussed in detail in Microsoft Security Bulletin MS05-039.

    Note that the said propagation routine works only on Windows NT and 2000 because the Microsoft Windows Plug and Play vulnerability has inherent characteristics that prevent this worm from exploiting it on Windows XP and Server 2003.

This worm opens port 6667 and joins an Internet Relay Chat (IRC) channel, where it listens for commands from a remote malicious user. It executes the said commands locally on affected machines, thus compromising the security of these machines.

It steals the Windows product ID as well as steals the CD keys of popular applications installed on affected machines. It terminates different processes such as Registry Editor, and antivirus applications. This ensures that manual detection and removal of this worm is made more difficult. It also terminates the processes of other popular malware, in an attempt to solely dominate malicious activities in the infected system.

For additional information about this threat, see:

Description created: Oct. 28, 2005 10:20:35 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 98,304 Bytes

Ports used: TCP port 6667 (IRCU)

Initial samples received on: Oct 28, 2005

Payload 1: Compromises system security

Payload 2: Terminates processes

Payload 3: Steals information

Payload 4: Disables DCOM protocol and restricts anonymous access

Details:

Installation and Autostart

Upon execution, this worm drops a copy of itself as msaconfigurez.exe in the Windows system folder. It creates the following registry entries to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Microsft Confige 32 = "msaconfigurez.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Microsft Confige 32 = "msaconfigurez.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Microsft Confige 32 = "msaconfigurez.exe"

Other Registry Modifications

This worm disables the DCOM protocol and restricts anonymous access to the affected system by modifying the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
EnableDCOM = "N"

(Note: The default entry is EnableDCOM = "Y".)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA
RestrictAnonymous = "dword:00000001"

(Note: Though there is no default value for RestrictAnonymous, it may be modified from the one defined by the user.)

Network Propagation and Exploits

This worm spreads by dropping a copy of itself in accessible network shares. If the said shares are password-protected, it uses NetBEUI functions to gather available lists of user names and passwords as well as the following list of hardcoded user names and passwords as its login credentials to gain access:

  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • access
  • accounting
  • accounts
  • admin
  • administrador
  • administrat
  • administrateur
  • administrator
  • admins
  • b0n3s
  • b0nes
  • backup
  • bitch
  • blank
  • bones
  • brian
  • changeme
  • chris
  • cisco
  • compaq
  • computer
  • control
  • database
  • databasepass
  • databasepassword
  • db1234
  • dbpass
  • dbpassword
  • default
  • defaultpass
  • domain
  • domainpass
  • domainpassword
  • exchange
  • ferret
  • george
  • guest
  • hello
  • homeuser
  • internet
  • intranet
  • james
  • katie
  • klingon
  • linux
  • login
  • loginpass
  • maryjim
  • ncc1701
  • ncc1701a
  • ncc1701b
  • ncc1701c
  • ncc1701d
  • ncc1701e
  • nokia
  • oeminstall
  • oemuser
  • office
  • oracle
  • orainstall
  • outlook
  • owner
  • pass1234
  • passwd
  • password
  • password1
  • peter
  • picard
  • psycorats
  • psycoratsonacid
  • qwerty
  • scotty
  • server
  • siemens
  • spock
  • sqlpassoainstall
  • staff
  • startrek
  • student
  • susan
  • system
  • teacher
  • technical
  • weiredweasel
  • win2000
  • win2k
  • win98
  • windows
  • winnt
  • winpass
  • winxp
  • wiredwesel
  • wwwadmin

This worm may also spread by taking advantage of machines vulnerable to the following Windows exploits:

  • The Buffer Overrun In RPCSS Service vulnerability, which allows an attacker to execute arbitrary code on a vulnerable machine with Local System account privileges and to have total control over the remote system. It also causes a denial of service (DoS) attack on a vulnerable machine. The application SVCHOST.EXE crashes upon receipt of this malformed DCOM packet. To exploit these vulnerabilities, the attacker sends a specially crafted RPC message to a vulnerable system. This vulnerability is discussed in detail in Microsoft Security Bulletin MS03-039.

  • The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Security Bulletin MS04-011.

  • The Windows Plug and Play vulnerability, which allows a malicious user or a malware to execute code on the system, giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes. This vulnerability is discussed in detail in Microsoft Security Bulletin MS05-039.

    Note that the said propagation routine works only on Windows NT and 2000 because the Microsoft Windows Plug and Play vulnerability has inherent characteristics that prevent this worm from exploiting it on Windows XP and Server 2003.

Backdoor Capabilities

This worm opens port 6667 and joins an Internet Relay Chat (IRC) channel, where it listens for commands from a remote malicious user. It executes the said commands, which are the following, locally on affected machines:

  • Get system information
  • Get login credentials such as user name, password, and domain
  • Delete shares
  • Capture screenshot from webcam
  • Manipulate IRC privileges
  • Perform IRC commands, such as send message, kick a user, send a file, flood a channel, etc.
  • Clone itself
  • Upload or download files
  • Shut down the system
  • Scan open ports
  • Log keystrokes
  • Terminate processes
  • Perform a distributed denial of service (DDoS) attack
  • Establish remote connection through shell, TFTP, or FTP

Information Theft

This worm steals the Windows product ID and CD keys from the following games, which are locally installed on affected machines:

  • Battlefield 1942
  • Battlefield 1942 (Road To Rome)
  • Battlefield 1942 (Secret Weapons of WWII)
  • Battlefield Vietnam
  • Black and White
  • Chrome
  • Command and Conquer: Generals
  • Command and Conquer: Generals (Zero Hour)
  • Command and Conquer: Red Alert
  • Command and Conquer: Red Alert 2
  • Command and Conquer: Tiberian Sun
  • FIFA 2002
  • FIFA 2003
  • Freedom Force
  • Global Operations
  • Gunman Chronicles
  • Half-Life
  • Hidden & Dangerous 2
  • IGI 2: Covert Strike
  • Industry Giant 2
  • James Bond 007: Nightfire
  • Legends of Might and Magic
  • Medal of Honor: Allied Assault
  • Medal of Honor: Allied Assault: Breakthrough
  • Medal of Honor: Allied Assault: Spearhead
  • Nascar Racing 2002
  • Nascar Racing 2003
  • Need For Speed Hot Pursuit 2
  • Need For Speed: Underground
  • Neverwinter Nights
  • NHL 2002
  • NHL 2003
  • Rainbow Six III RavenShield
  • Shogun: Total War: Warlord Edition
  • Soldier of Fortune II - Double Helix
  • Soldiers Of Anarchy
  • The Gladiators Counter-Strike (Retail)
  • Unreal Tournament 2003
  • Unreal Tournament 2004

Process Termination

This worm terminates the following processes, some of which are associated with security and system applications, and some of which are associated with other malware:

  • bbeagle.exe
  • d3dupdate.exe
  • i11r54n4.exe
  • irun4.exe
  • MSBLAST.exe
  • msblast.exe
  • msconfig.exe
  • mscvb32.exe
  • navapw32.exe
  • navw32.exe
  • netstat.exe
  • PandaAVEngine.exe
  • Penis32.exe
  • rate.exe
  • regedit.exe
  • ssate.exe
  • sysinfo.exe
  • SysMonXP.exe
  • teekids.exe
  • wincfg32.exetaskmon.exe
  • winsys.exe
  • winupd.exe
  • zapro.exe
  • zonealarm.exe

Affected Platforms

This worm runs on Windows 95, 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Bryant Sy Tan


SOLUTION


Minimum scan engine version needed: 7.000

Pattern file needed: 2.918.05

Pattern release date: Oct 28, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Restarting in Safe Mode

• On Windows 95

  1. Restart your computer.
  2. Press F8 at the Starting Windows 95 message.
  3. Choose Safe Mode from the Windows 95 Startup Menu then press Enter.

• On Windows 98 and ME

  1. Restart your computer.
  2. Press the CTRL key until the startup menu appears.
  3. Choose the Safe Mode option then press Enter.

• On Windows NT (VGA mode)

  1. Click Start>Settings>Control Panel.
  2. Double-click the System icon.
  3. Click the Startup/Shutdown tab.
  4. Set the Show List field to 10 seconds and click OK to save this change.
  5. Shut down and restart your computer.
  6. Select VGA mode from the startup menu.

• On Windows 2000

  1. Restart your computer.
  2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

• On Windows XP

  1. Restart your computer.
  2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

• On Windows Server 2003

  1. Restart your computer.
  2. When you are prompted to select the operating system to start, press F8.
  3. On the Windows Advanced Option menu, use the arrow keys to select Safe Mode, and then press Enter.

Editing the Registry

This malware modifies the system's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Microsft Confige 32 = "msaconfigurez.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    Microsft Confige 32 = "msaconfigurez.exe"
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  7. In the right panel, locate and delete the entry:
    Microsft Confige 32 = "msaconfigurez.exe"

Restoring EnableDCOM and RestrictAnonymous Registry Entries

This malware modifies EnableDCOM and RestrictAnonymous registry entries to a certain value. To know more about restoring these registries to their original values, please refer to these articles:

  1. COM security frequently asked questions
  2. How to disable DCOM support in Windows
  3. How to Use the RestrictAnonymous Registry Value in Windows 2000
  4. The "RestrictAnonymous" Registry Value May Break the Trust to a Windows 2000 Domain

To restore this entry to its default value, please perform the following instructions:

  1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Ole
  2. In the right panel, locate the entry:
    EnableDCOM = "N"
  3. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    EnableDCOM = "Y"
  4. Close Registry Editor.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your system normally before performing the following solution.

Scan your system with Trend Micro antivirus and delete files detected as WORM_RBOT.CLC. To do this, Trend Micro customers must download the latest virus pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Windows. Download and install the fix patch supplied by Microsoft in the following pages:

Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.