WORM_RBOT.CP

Malware type: Worm

Aliases: Backdoor.Win32.Rbot.aeu (Kaspersky), W32/Sdbot.worm.gen.as (McAfee), W32.Spybot.Worm (Symantec), Worm/Rbot.X (Avira), W32/Rbot-AW (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This memory-resident worm propagates through network shares. It uses NetBEUI functions to get any available lists of user names and passwords. It then searches for shared folders and drops a copy of itself as MCAFEESCN.EXE using the gathered list.

It also generates IP addresseses and attempts to log on to systems using a list of user names and passwords, aside from the obtained network credentials.

It has a built-in Internet Relay Chat (IRC) client engine, which enables it to connect to an IRC channel and wait for several malicious commands from a malicious user. It also terminates certain processes and steals CD keys of specific game applications.

This worm is also capable of notifying the bot of systems that are vulnerable to several Windows vulnerabilities as follows:

  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) Vulnerability
  • RPC Locator Vulnerability
  • IIS5/WEBDAV Buffer Overflow Vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

It runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:

Description created: Jul. 21, 2004 12:28:01 AM GMT -0800
Description updated: Jul. 21, 2004 12:27:35 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 223,744 Bytes

Initial samples received on: Jul 9, 2004

Payload 1: Compromises system security

Trigger condition 1: Upon execution

Payload 2: Steal CD keys of several game applications

Trigger condition 1: Upon execution

Payload 3: Terminates certain processes

Trigger condition 1: Upon execution

Details:

Installation and Autostart Techniques

This memory-resident worm drops a copy of itself as MCAFEESCN.EXE in the Windows system folder.

To enable its automatic execution at every system startup, it creates the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Mcaffe Antivirus = "MCAFEESCN.EXE"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Mcaffe Antivirus = "MCAFEESCN.EXE"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Mcaffe Antivirus = "MCAFEESCN.EXE"

As part of its installation routine, it also adds the following registry entry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\SessionManager\Known16DLLs
AVICAP.DLL = "AVICAP.DLL"

Network Propagation

This worm spreads through network shares. It uses NetBEUI functions to get any available lists of user names and passwords. It then searches for and lists down shared folders, where it drops a copy of itself by using the gathered information.

It also generates IP addresses and attempts to drop a copy of itself in the following default shares of its target address:

  • Admin$
  • C$
  • D$
  • E$
  • IPC$

It tries connect to the said shared folders using the following user names and passwords:

User names:

  • accounting
  • accounts
  • administrador
  • administrat
  • administrateur
  • administrator
  • admins
  • brian
  • changeme
  • chris
  • computer
  • database
  • default
  • george
  • guest
  • homeuser
  • internet
  • katie
  • linux
  • login
  • oeminstall
  • oemuser
  • oracle
  • outlook
  • owner
  • peter
  • qwerty
  • server
  • staff
  • student
  • susan
  • system
  • teacher
  • win2000
  • win2k
  • win98
  • windows
  • winnt
  • winxp
  • wwwadmin

Passwords:

  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • access
  • backup
  • bitch
  • blank
  • cisco
  • compaq
  • control
  • databasepass
  • databasepassword
  • db1234
  • dbpass
  • dbpassword
  • domain
  • domainpass
  • domainpassword
  • exchange
  • hello
  • intranet
  • loginpass
  • nokia
  • office
  • orainstall
  • pass1234
  • passwd
  • password
  • password1
  • siemens
  • sqlpassoainstall
  • technical
  • winpass

Exploits

This worm is also capable of automatically notifying the bot of systems that are vulnerable to several Windows vulnerabilities.

It takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

Read more on this vulnerability from the following link:

This worm looks for vulnerable machines on the network by scanning for random TCP/IP addresses on port 135.

It further uses the RPC Locator vulnerability which affects Windows NT and searches for vulnerable machines on the network by incrementally scanning TCP/IP addresses on port 445.

More information on this vulnerability is available from the following Microsoft page:

This worm also exploits the IIS5/WEBDAV buffer overrun exploit affecting Windows NT, which enables arbitrary codes to execute on the server.

The following link offers more information from Microsoft about this vulnerability:

When it finds a vulnerable target machine, it copies and executes itself on the system.

Backdoor Capabilities

This worm comes with a built-in Internet Relay Chat (IRC) client engine, which enables it to connect to an IRC channel and wait for several commands from a malicious user.

It has the following capabilities:

  • Check malware status
  • Configure the infected system to act as an HTTP or a SOCKS4 proxy server
  • Connect to a specified IRC server
  • Disable shares
  • Disconnect from or change the IRC server
  • Display system information such as:
    • CPU
    • Memory size
    • Windows operating system (OS) and platform ID
    • User name
    • Malware uptime
  • Download, update, and execute file from an FTP or a Web site
  • Execute an .EXE file
  • Flush DNS
  • Join or leave an IRC channel
  • Log keystroke
  • Open a file
  • Perform a mode change in the IRC
  • Perform port redirections
  • Resolve IP or host name by DNS
  • Send message to IRC server or to a private user
  • Update or uninstall itself

Information Theft

This worm steals CD keys of the following popular game applications:

  • Battlefield 1942
  • Battlefield 1942 (Road To Rome)
  • Battlefield 1942 (Secret Weapons of WWII)
  • Battlefield Vietnam
  • Black and White
  • Chrome
  • Command and Conquer: Generals
  • Command and Conquer: Generals (Zero Hour)
  • Command and Conquer: Red Alert
  • Command and Conquer: Red Alert 2
  • Command and Conquer: Tiberian Sun
  • Counter-Strike (Retail)
  • FIFA 2002
  • FIFA 2003
  • Freedom Force
  • Global Operations
  • Gunman Chronicles
  • Half-Life
  • Hidden & Dangerous 2
  • IGI 2: Covert Strike
  • Industry Giant 2
  • James Bond 007: Nightfire
  • Legends of Might and Magic
  • Medal of Honor: Allied Assault
  • Medal of Honor: Allied Assault: Breakthrough
  • Medal of Honor: Allied Assault: Spearhead
  • Microsoft Windows Product ID
  • Nascar Racing 2002
  • Nascar Racing 2003
  • Need For Speed Hot Pursuit 2
  • Need For Speed: Underground
  • Neverwinter Nights
  • Neverwinter Nights (Hordes of the Underdark)
  • Neverwinter Nights (Shadows of Undrentide)
  • NHL 2002
  • NHL 2003
  • Rainbow Six III RavenShield
  • Shogun: Total War: Warlord Edition
  • Soldier of Fortune II - Double Helix
  • Soldiers Of Anarchy
  • The Gladiators
  • Unreal Tournament 2003
  • Unreal Tournament 2004

Denial of Service

This worm allows the malicious user to launch a denial of service (DoS) attack against a target site by using the following methods:

  • HTTP flood
  • ICMP flood
  • SYN flood
  • UDP flood

Program Termination

This worm can terminate the following processes:

  • BBEAGLE.EXE
  • D3DUPDATE.EXE
  • I11R54N4.EXE
  • IRUN4.EXE
  • MSBLAST.EXE
  • MSBLAST.EXE
  • MSCONFIG.EXE
  • MSCVB32.EXE
  • NAVAPW32.EXE
  • NAVW32.EXE
  • NETSTAT.EXE
  • PANDAAVENGINE.EXE
  • PENIS32.EXE
  • RATE.EXE
  • SSATE.EXE
  • SYSINFO.EXE
  • SYSMONXP.EXE
  • TASKMON.EXE
  • TEEKIDS.EXE
  • WINCFG32.EXE
  • WINSYS.EXE
  • WINUPD.EXE
  • ZAPRO.EXE
  • ZONEALARM.EXE



Analysis by: Glenn P. Lugod


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 1.932.05

Pattern release date: Jul 9, 2004


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Restarting in Safe Mode

� On Windows 95

  1. Restart your computer.
  2. Press F8 at the Starting Windows 95 message.
  3. Choose Safe Mode from the Windows 95 Startup Menu then press Enter.

� On Windows 98 and ME

  1. Restart your computer.
  2. Press the CTRL key until the startup menu appears.
  3. Choose the Safe Mode option then press Enter.

� On Windows NT (VGA mode)

  1. Click Start>Settings>Control Panel.
  2. Double-click the System icon.
  3. Click the Startup/Shutdown tab.
  4. Set the Show List field to 10 seconds and click OK to save this change.
  5. Shut down and restart your computer.
  6. Select VGA mode from the startup menu.

� On Windows 2000

  1. Restart your computer.
  2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

� On Windows XP

  1. Restart your computer.
  2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

Note: After performing all the solutions for the removal of this malware, please restart your system normally, and run your Trend Micro antivirus product.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Mcaffe Antivirus = "MCAFEESCN.EXE"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    Mcaffe Antivirus = "MCAFEESCN.EXE"
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  7. In the right panel, locate and delete the entry:
    Mcaffe Antivirus = "MCAFEESCN.EXE"
  8. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>System>CurrentControlSet>
    Control>SessionManager>Known16DLLs
  9. In the right panel, locate and delete the entry:
    AVICAP.DLL = "AVICAP.DLL"
  10. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_RBOT.CP. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Windows. Download and install the necessary fix patch. Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors from the following links:




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.