WORM_RBOT.CXS

Malware type: Worm

Aliases: W32/Sdbot.worm.gen.by (McAfee), W32.Spybot.Worm (Symantec), Worm/Rbot.97992 (Avira), Mal/EncPk-BA (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Infection Channel 1 : Propagates via network shares


Infection Channel 2 : Propagates via software vulnerabilities


Description: 

This worm propagates via network shares. It generates IP addresses and attempts to drop copies of itself in the default shares of target addresses. If the said shares are password-protected, it uses a list of user names and passwords as its login credentials.

This worm takes advantage of the following system vulnerabilities to propagate across networks:

  • DameWare Remote Control Server Stack Overflow Exploit
  • WebDAV vulnerability
  • RPCSS Service vulnerability
  • Windows LSASS vulnerability

For more information regarding the mentioned vulnerabilities, refer to the following Web pages:

This worm also has backdoor capabilities. It acts as a server program controlled by an Internet Relay Chat (IRC) bot. It opens random TCP or UDP ports and connects to an IRC server, where it joins a channel. Once connected, it receives commands from a remote malicious user. The said routine provides remote users virtual control over affected systems, thus compromising system security.

Part of this worm's backdoor capabilities is launching a denial of service (DoS) attack against target systems using certain flooding methods.

It also terminates several processes. Some of these processes are related to security applications, while others are related to WORM_MYDOOM and WORM_BAGLE variants.

This worm also uses Carnivore network sniffer to retrieve passwords and other sensitive information by checking for character strings in network packets.

Moreover, it steals the Microsoft Windows Product ID, as well as the CD keys of several game applications installed on the affected system. It then sends the gathered information to a remote malicious user via opened ports.

For additional information about this threat, see:

Description created: Nov. 29, 2005 6:44:50 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 97,992 Bytes

Ports used: Random

Initial samples received on: Nov 24, 2005

Compression type: MEW

Vulnerability used:  (MS04-011) Security Update for Microsoft Windows (835732), (MS03-007) Unchecked Buffer In Windows Component Could Cause Server Compromise (815021), (MS03-039) Buffer Overrun In RPCSS Service Could Allow Code Execution

Payload 1: Compromises system security

Trigger condition 1: Upon execution

Payload 2: Performs denial of service (DoS) attacks

Trigger condition 1: Upon execution

Payload 3: Terminates processes

Trigger condition 1: Upon execution

Payload 4: Steals information

Trigger condition 1: Upon execution

Details:

Installation and Autostart Technique

Upon execution, this memory-resident worm drops a copy of itself as DCZ.EXE in the Windows system folder.

It creates the following registry entries to ensure its automatic execution at every Windows startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Automatical Updater = "dcz.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Automatical Updater = "dcz.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
Windows Automatical Updater = "dcz.exe"

Other Registry Modifications

This worm disables the DCOM protocol and restricts anonymous access to an affected system by modifying the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableDCOM = "N"

(Note: The default value for the abovementioned registry entry is "Y".)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = "dword:00000001"

(Note: The default value for the abovementioned registry entry is user-defined.)

Network Propagation and Exploits

This worm propagates via network shares. It generates IP addresses and attempts to drop copies of itself in the default shares of target addresses, such as the following:

  • ADMIN$
  • ADMIN$\system32
  • C$\Windows\system32
  • C$\WINNT\system32
  • IPC$

If the said shares are password-protected, it uses any of the following user names and passwords as its login credentials:

User names
  • Abdulrazak
  • Ackerman
  • Adams
  • Addison
  • Adelstein
  • Adibe
  • Adorno
  • Ahlers
  • Alavi
  • Alcorn
  • Aleks
  • Allison
  • Alongi
  • Altavilla
  • Altenberger
  • Altenhofen
  • Amaral
  • Amatangelo
  • Ameer
  • Amsden
  • Anand
  • Andel
  • Andrelus
  • Andron
  • Anfinrud
  • Ansley
  • Anthony
  • Antos
  • Arbia
  • Arduini
  • Arellano
  • Aristotle
  • Arjas
  • Atkins
  • Augustus
  • Aurelius
  • Axelrod
  • Axworthy
  • Ayiemba
  • Aykroyd
  • Ayling
  • Azima
  • Bachmuth
  • Backus
  • Baglivo
  • Bagnold
  • Bailar
  • Bakanowsky
  • Baleja
  • Ballatori
  • Ballew
  • Baltz
  • Banta
  • Barabesi
  • Barajas
  • Baranczak
  • Baranowska
  • Barberi
  • Barbetti
  • Barneson
  • Barnett
  • Barriola
  • Barry
  • Bartholomew
  • Bartolome
  • Bartoo
  • Basavappa
  • Bashevis
  • Batchelder
  • Baumiller
  • Bayles
  • Beacon
  • Beckman
  • Beder
  • Bedford
  • Behenna
  • Belanger
  • Belaoussof
  • Belfer
  • Belin-Collart
  • Bellavance
  • Bellhouse
  • Bellini
  • Belloc
  • Benedict-Dye
  • Bergson
  • Berke-Jenkins
  • Bernardo
  • Bernassola
  • Bernston
  • Berrizbeitia
  • Betti
  • Beynart
  • Biagioli
  • Bickel
  • Binion
  • Bisema
  • Bisho
  • Blackbourn
  • Blackwell
  • Blagg
  • Blakemore
  • Blanke
  • Bliss
  • Blizard
  • Bloch
  • Bloembergen
  • Bloemhof
  • Bloxham
  • Blyth
  • Bolger
  • Bolick
  • Bollinger
  • Bologna
  • Boner
  • Bonham
  • Boniface
  • Bontempo
  • Bookbinder
  • Boone
  • Boorstin
  • Borack
  • Borden
  • Bossi
  • Bothman
  • Botosh
  • Boudin
  • Boudrot
  • Bourneuf
  • Bowers
  • Boxer
  • Boyajian
  • Boyes
  • Boyland
  • Boyne
  • Bracalente
  • Bradac
  • Bradach
  • Brecht
  • Breed
  • Brenan
  • Brennan
  • Brewer
  • Bridgeman
  • Bridges
  • Brinton
  • Britz
  • Broca
  • Brook
  • Brzycki
  • Buchan
  • Budding
  • Bullard
  • Bunton
  • Burden
  • Burdzy
  • Burke
  • Burridge
  • Busetta
  • Byatt
  • Byerly
  • Calnan
  • Cammelli
  • Cammilleri
  • Canley
  • Capanni
  • Caperton
  • Capocaccia
  • Capodilupo
  • Cappuccio
  • Capursi
  • Caratozzolo
  • Carayannopoulos
  • Carlin
  • Carlos
  • Carlyle
  • Carmichael
  • Caroti
  • Carper
  • Cartmill
  • Cascio
  • Caspar
  • Castelda
  • Cavanagh
  • Cavell
  • Ceniceros
  • Cerioli
  • Chapman
  • Charles
  • Cheang
  • Cherry
  • Chervinsky
  • Chiassino
  • Chien
  • Childress
  • Childs
  • Chinipardaz
  • Chinman
  • Christenson
  • Christian
  • Christiano
  • Christie
  • Christopher
  • Chupasko
  • Church
  • Ciampaglia
  • Cicero
  • Cifarelli
  • Claffey
  • Clancy
  • Clark
  • Clement
  • Clifton
  • Coblenz
  • Coito
  • Coldren
  • Colella
  • Collard
  • Collis
  • Compton
  • Comstock
  • Concino
  • Condodina
  • Connors
  • Corey
  • Cornish
  • Cosmides
  • Counter
  • Coutaux
  • Crawford
  • Crocker
  • Croshaw
  • Croxen
  • Croxton
  • Cunningham
  • Currier
  • Cutler
  • Cyders
  • Daldalian
  • D'Ambra
  • Danieli
  • Dante
  • Dapice
  • D'arcangelo
  • Dasgupta
  • daSilva
  • Daskalu
  • David
  • Dawkins
  • Debroff
  • Defeciani
  • DeGennaro
  • DeLaPena
  • Delattre
  • del'Enclos
  • Deleon-Rendon
  • Delger
  • Dell'acqua
  • Deming
  • Dempster
  • Demusz
  • Denault
  • Denham
  • Denison
  • deRousse
  • Desombre
  • Deutsch
  • D'fini
  • Dicks
  • Diefenbach
  • Difabio
  • Difronzo
  • Dilworth
  • Dionysius
  • Dirksen
  • Dockery
  • Doherty
  • Donahue
  • Donner
  • Doonan
  • Dowsland
  • Drinker
  • D'souza
  • Duffin
  • Durrett
  • Dussault
  • Dwyer
  • Eardley
  • Ebeling
  • Eckel
  • Edley
  • Edner
  • Edward
  • Eickenhorst
  • Eliasson
  • Elmendorf
  • Elmerick
  • Elvis
  • Encinas
  • Enyeart
  • Eppling
  • Erbach
  • Erdman
  • Erdos
  • Espinoza
  • Estes
  • Etter
  • Euripides
  • Everett
  • Fabbris
  • Fagan
  • Faioes
  • Falco-Acosta
  • Falorsi
  • Faris
  • Farone
  • Farren
  • Fasso'
  • Fates
  • Feigenbaum
  • Fejzo
  • Feldman
  • Fernald
  • Fernandes
  • Ferrante
  • Ferriell
  • Feuer
  • Field
  • Finkelstein
  • Finnegan
  • Fiorina
  • Fitzmaurice
  • Flier
  • Flores
  • Folks
  • Forester
  • Fortes
  • Fortier
  • Fossey
  • Fossi
  • Francisco
  • Franklin-Kenea
  • Franz
  • Frazier-Davis
  • Freid
  • Freundlich
  • Fried
  • Friedland
  • Frisken
  • Frowiss
  • Fryberger
  • Fujii-Abe
  • Fuller
  • Furth
  • Fusaro
  • Gabrielli
  • Gaggiotti
  • Galeotti
  • Galwey
  • Gambini
  • Garfield
  • Garman
  • Garonna
  • Geller
  • Gemberling
  • Georgi
  • Gerrett
  • Ghorai
  • Gibbens
  • Gibson
  • Gilbert
  • Gillispie
  • Gleason
  • Glegg
  • Glendon
  • Goldfarb
  • Goncalves
  • Gonzalez
  • Goodearl
  • Goody
  • Gozzi
  • Gravell
  • Greenberg
  • Greenfeld
  • Griffiths
  • Grigoletto
  • Grummell
  • Gruner
  • Gruppe
  • Guenthart
  • Hackman
  • Hackshaw
  • Haley
  • Halkias
  • Hallowell
  • Halpert
  • Hambarzumjan
  • Hamer
  • Hammerness
  • Hanssen
  • Harding
  • Hargraves
  • Harlow
  • Harrigan
  • Hartman
  • Hartmann
  • Hartnett
  • Harwell
  • Haviaras
  • Hawkes
  • Hayes
  • Haynes
  • Hazlewood
  • Heermans
  • Heiland
  • Hellman
  • Hellmiss
  • Helprin
  • Hemphill
  • Henery
  • Henrichs
  • Hernandez
  • Herrera
  • Hester
  • Heubert
  • Heyeck
  • Himmelfarb
  • Hirst
  • Hitchcock
  • Hoang
  • Hoffer
  • Hoffman
  • Hokanson
  • Hokoda
  • Holmes
  • Holoien
  • Holter
  • Holway
  • Holzman
  • Hooker
  • Hopkins
  • Horsley
  • Hoshida
  • Hostage
  • Hottle
  • Howard
  • Huidekoper
  • Hungerford
  • Huntington
  • Hurtubise
  • Hutchings
  • Iaquinta
  • Ichikawa
  • Igarashi
  • Inamura
  • Inniss
  • Isaac
  • Isaievych
  • Isbill
  • Isserman
  • Jacenko
  • Jackson
  • Jagers
  • Jagger
  • Jagoe
  • Jamil
  • Janjigian
  • Jarnagin
  • Jarrell
  • Jeffers
  • Jellis
  • Jenkins
  • Jespersen
  • Jewett
  • Johannesson
  • Johannsen
  • Johns
  • Jolly
  • Jorgensen
  • Jucks
  • Juliano
  • Julious
  • Kabbash
  • Kaboolian
  • Kafadar
  • Kalbfleisch
  • Kaligian
  • Kalil
  • Kalinowski
  • Kalman
  • Kamel
  • Kangis
  • Karpouzes
  • Kassower
  • Kasten
  • Kawachi
  • Keenan
  • Keepper
  • Keith
  • Kelker
  • Kelsey
  • Kempton
  • Kemsley
  • Kendall
  • Kerry
  • Khong
  • Kimmel
  • Kimmett
  • Kimura
  • Kindall
  • Kinsley
  • Kippenberger
  • Kirscht
  • Kittridge
  • Kleckner
  • Kleiman
  • Kleinfelder
  • Klemperer
  • Kling
  • Klinkenborg
  • Klint
  • Knuff
  • Kobrick
  • Koivumaki
  • Kommer
  • Koniaris
  • Konrad
  • Korzybski
  • Kotter
  • Kovaks
  • Kraemer
  • Krailo
  • Krasney
  • Kraus
  • Kroemer
  • Krysiak
  • Kuenzli
  • Kumar
  • Kusman
  • Kuwabara
  • Labunka
  • Lafler
  • Laing
  • Lallemant
  • Landes
  • Lankes
  • Lantieri
  • Lanzit
  • Laserna
  • Lashley
  • Lawless
  • Lecar
  • Lecce
  • Leclercq
  • Leite
  • Lenard
  • l'Enclos
  • Lesser
  • Lessi
  • Liakos
  • Lidano
  • Light
  • Lightfoot
  • Linares
  • Linda
  • Linder
  • Linehan
  • Linzee
  • Lippmann
  • Lipponen
  • Little
  • Litvak
  • Livernash
  • Livolsi
  • Lizardo
  • Locatelli
  • Longworth
  • Loveman
  • Lowenstein
  • Lubin
  • Lucas
  • Luciano
  • Luczkow
  • Luecke
  • Lunetta
  • Luoma
  • Lussier
  • Lutcavage
  • Luzader
  • Maccormac
  • Macdonald
  • Maceachern
  • Macintyre
  • Mackenney
  • MacMillan
  • Madigan
  • Maggio
  • Mahony
  • Maier
  • Maine-Hershey
  • Maisano
  • Malatesta
  • Maller
  • Malova
  • Manalis
  • Mandel
  • Manganiello
  • Mantovan
  • March
  • Marchbanks
  • Marcus
  • Margalit
  • Margetts
  • Marques
  • Martinez
  • Martochio
  • Marton
  • Marubini
  • Matalka
  • Matarazzo
  • Matsukata
  • Mattson
  • Mauzy
  • Mazzali
  • Mazziotta
  • Mcbride
  • Mccaffery
  • Mccall
  • Mcclearn
  • Mcdowell
  • Mcelroy
  • McFadden
  • Mcghee
  • Mcgoldrick
  • McIlroy
  • Mcintosh
  • Mckenna
  • Mclane
  • Mclaren
  • Mcnealy
  • Mcnulty
  • Meccariello
  • Memisoglu
  • Menzies
  • Merikoski
  • Merlani
  • Merminod
  • Merseth
  • Metelka
  • Metropolis
  • Meurer
  • Michelman
  • Middle
  • Mieher
  • Mills
  • Minichiello
  • Mitropoulos
  • Mittal
  • Mocroft
  • Modestino
  • Moeller
  • Moiamedi
  • Monque
  • Montilio
  • MooreDeCh.
  • Morani
  • Moreton
  • Morrison
  • Morrow
  • Mortimer
  • Mosher
  • Mosler
  • Mostafavi
  • Motooka
  • Mudarri
  • Muello
  • Mugnai
  • Mulkern
  • Mulroy
  • Mumford
  • Mussachio
  • Naddeo
  • Napolitano
  • Nardi
  • Nardone
  • Naviaux
  • Nayduch
  • Nelson
  • Nenna
  • Nesci
  • Neuman
  • Newfeld
  • Newlin
  • Nickerson
  • Nickoloff
  • Nisenson
  • Nitabach
  • Notman
  • Nuzum
  • Ocougne
  • Ogata
  • O'hagan
  • Oldford
  • Olsen
  • Olson
  • Olszewski
  • O'malley
  • O'meara
  • Orfield
  • Ospina
  • Ostrowski
  • Ottaviani
  • Otten
  • Ouchida
  • PaesDealmeida
  • Paine
  • Palayoor
  • Palepu
  • Pallara
  • Palmitesta
  • Panadero
  • Panizzon
  • Pantilla
  • Paoletti
  • Parmeggiani
  • Parris
  • Partridge
  • Pascucci
  • Patefield
  • Patrick
  • Pattullo
  • Pavetti
  • Pavlon
  • Pawloski
  • Paynter
  • Peabody
  • Pearlberg
  • Pederson
  • Peishel
  • Penny
  • Pereira
  • Perko
  • Perlak
  • Perlman
  • Perna
  • Perone
  • Perrimon
  • Peters
  • Petruzello
  • Pettibone
  • Pettit
  • Pfister
  • Pilbeam
  • Pinot
  • Plancon
  • Plant
  • Plasket
  • Plous
  • Pocobene
  • Poincaire
  • Pointer
  • Poirier
  • Polak
  • Polanyi
  • Politis
  • Poolman
  • Powers
  • Presper
  • Preucel
  • Prevost
  • Pritchard
  • Pritz
  • Proietti
  • Prothrow-Stith
  • Puccia
  • Pynchon
  • Quaday
  • Quetin
  • Rabkin
  • Radeke
  • Rajagopalan
  • Raney
  • Rangan
  • Rankin
  • Rapple
  • Rayport
  • Redden-Tyler
  • Reedquist
  • Reinold
  • Remak
  • Renick
  • Repetto
  • Resnik
  • Richmond
  • Rielly
  • Rindos
  • Rineer
  • Rivera
  • Robinson
  • Rocha
  • Roesler
  • Rogers
  • Ronen
  • Royal
  • Ruderman
  • Ruescher
  • Sabatello
  • Sadler
  • Safire
  • Samson
  • Sanchez-Ramirez
  • Sanna
  • Sapers
  • Sarin
  • Sartore
  • Satin
  • Satta
  • Satterthwaite
  • Sawtell
  • Sayied
  • Scarponi
  • Scepan
  • Scharf
  • Scharlemann
  • Scheiner
  • Schiano
  • Schifini
  • Schilling
  • Schmitt
  • Schossberger
  • Schuman
  • Schutte
  • Schuyler
  • Schwan
  • Schwickrath
  • Scovel
  • Scudder
  • Seaton
  • Seeber
  • Segal
  • Sekler
  • Selvage
  • Sennett
  • Seterdahl
  • Sexton
  • Seyfert
  • Shaikh
  • Shakis
  • Shankland
  • Shanley
  • Shatrov
  • Shavelson
  • Sheats
  • Shepherd
  • Sheppard
  • Shepstone
  • Shesko
  • Shibata
  • Shimon
  • Siesto
  • Sigalot
  • Sigini
  • Signa
  • Silverman
  • Silvetti
  • Sinsabaugh
  • Sirilli
  • Sites
  • Skane
  • Skerry
  • Skoda
  • Sloan
  • Slowe
  • Smilow
  • Sniffen
  • Snodgrass
  • Socolow
  • Solon
  • Somers
  • Sommariva
  • Sorabella
  • Sottak
  • Soukup
  • Soule
  • Soultanian
  • Spanier
  • Sparrow
  • Spaulding
  • Speizer
  • Spence
  • Sperber
  • Spicer
  • Spiegelhalter
  • Spiliotis
  • Spinrad
  • Stalvey
  • Stang
  • Stassinopolus
  • States
  • Statlender
  • Stefani
  • Steiner
  • Stephanian
  • Stepniewska
  • Stewart-Oaten
  • Stiepock
  • Stillwell
  • StMartin
  • Stock
  • Stockton
  • Stockwell
  • Stolzenberg
  • Stonich
  • Storer
  • Stott
  • Strange
  • Strauch
  • Streiff
  • Stringer
  • Sullivan
  • Sumner
  • Surdam
  • Sweeting
  • Sweetser
  • Swindle
  • Tagiuri
  • Talaugon
  • Tambiah
  • Tandler
  • Tanowitz
  • Tatar
  • Taveras
  • Tcherepnin
  • Teague
  • Temes
  • Temmer
  • Tenney
  • Terracini
  • Thavaneswaran
  • Theodos
  • Thibault
  • Thisted
  • Thomsen
  • Throop
  • Tierney
  • Timmons
  • Tofallis
  • Tollestrup
  • Tolls
  • Tolman
  • Tomford
  • Toomer
  • Topulos
  • Torresi
  • Torske
  • Towler
  • Traebert
  • Trenga
  • Trewin
  • Tringali
  • Troiani
  • Truss
  • Tsiatis
  • Tsomides
  • Tsukurov
  • Tudge
  • Tukan
  • Turano
  • Turek
  • Tuttle
  • Twells
  • Tzamarias
  • Ullman
  • Untermeyer
  • Upsdell
  • Urban
  • Urdang-Brown
  • Usdan
  • Uzuner
  • Vacca
  • Valberg
  • Valencia
  • vanAllen
  • Vandenberg
  • Vanheeckeren
  • VanZwet
  • Vasquez
  • Velasquez
  • Venne
  • Verghese
  • Viana
  • Viano
  • Viens
  • Vignola
  • Villarreal
  • Vitali
  • Viviani
  • Voigt
  • VonHoffman
  • Vorhaus
  • Votey
  • Waite
  • Wales
  • Wallenberg
  • Walter
  • Warshafsky
  • Wasowska
  • Waugh
  • Weighart
  • Weingarten
  • Weinhaus
  • Weissbourd
  • Weissman
  • Welles
  • Welsh
  • Wengret
  • Wescott
  • Wetzel
  • Whately
  • Whilton
  • White
  • Whitla
  • Whittaker
  • Wiedersheim
  • Wiener
  • Wilder
  • Wilhelm
  • Wilkin
  • Wilkinson
  • Willstatter
  • Wilson
  • Wooden
  • Woods
  • Woods-Powell
  • Yacono
  • Yamane
  • Yankee
  • Yarchuk
  • Yates
  • Ybarra
  • Yedidia
  • Yesson
  • Yetiv
  • Yoffe
  • Youk-See
  • Zachary
  • Zahedi
  • Zangwill
  • Zegans
  • Zerbini
  • Zoldak
  • Zucconi
  • Zwiers
  • Zytowski
Passwords
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • access
  • accounting
  • accounts
  • administrador
  • administrat
  • administrateur
  • administrator
  • admins
  • backup
  • bitch
  • blank
  • brian
  • changeme
  • chris
  • cisco
  • compaq
  • computer
  • control
  • database
  • databasepass
  • databasepassword
  • db1234
  • dbpass
  • dbpassword
  • default
  • domain
  • domainpass
  • domainpassword
  • exchange
  • george
  • guest
  • hello
  • homeuser
  • internet
  • intranet
  • katie
  • linux
  • login
  • loginpass
  • nokia
  • oeminstall
  • oemuser
  • office
  • oracle
  • orainstall
  • outlook
  • owner
  • pass1234
  • passwd
  • password
  • password1
  • peter
  • qwerty
  • server
  • siemens
  • sqlpassoainstall
  • staff
  • student
  • susan
  • system
  • teacher
  • technical
  • win2000
  • win2k
  • win98
  • windows
  • winnt
  • winpass
  • winxp
  • wwwadmin

This worm takes advantage of the following system vulnerabilities to propagate across networks:

  • DameWare Remote Control Server Stack Overflow Exploit
  • WebDAV vulnerability
  • RPCSS Service vulnerability
  • Windows LSASS vulnerability

For more information regarding the mentioned vulnerabilities, refer to the following Web pages:

Backdoor Capabilities

This worm acts as a server program controlled by an Internet Relay Chat (IRC) bot. It opens random TCP or UDP ports and connects to an IRC server, where it joins a channel. Once connected, it receives the following commands from a remote malicious user:

The said routine provides remote users virtual control over affected systems, thus compromising system security.

Denial of Service

Part of this worm's backdoor capabilities is launching a denial of service (DoS) attack against target systems using the following flooding methods:

Process Termination

This worm terminates the following processes:

Some of these processes are related to security applications, while others are related to WORM_MYDOOM and WORM_BAGLE variants.

Information Theft

This worm uses Carnivore network sniffer to retrieve passwords and other sensitive information by checking for the following character strings in network packets:

It also steals Microsoft Windows Product ID, as well as the CD keys of the following game applications installed on the system:

It then sends the gathered information to a remote malicious user via opened ports.

Other Details

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Analysis By: Jocelyn D. Racoma


SOLUTION


Minimum scan engine version needed: 7.000

Pattern file needed: 2.972.03

Pattern release date: Nov 27, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE the path and file name of all files detected as WORM_RBOT.CXS.

Trend Micro customers need to download the latest virus pattern file before scanning their system. Other users can use Housecall, the Trend Micro online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

If the process you are looking for is not in the list displayed by Task Manager, proceed to the succeeding solution set.

  1. Open Windows Task Manager.
    • On Windows 95, 98, and ME, press
    CTRL%20ALT%20DELETE
    • On Windows NT, 2000, and XP, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions. If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Editing the Registry

This malware modifies the system's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Windows Automatical Updater = "dcz.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  5. In the right panel, locate and delete the entry:
    Windows Automatical Updater = "dcz.exe"
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>RunServices
  7. In the right panel, locate and delete the entry:
    Windows Automatical Updater = "dcz.exe"
  8. Close Registry Editor.

Restoring EnableDCOM and RestrictAnonymous Registry Entries

This malware modifies EnableDCOM and RestrictAnonymous registry entries to a certain value. To know more about restoring these registries to their original values, please refer to these articles:

  1. COM security frequently asked questions
  2. How to disable DCOM support in Windows
  3. How to Use the RestrictAnonymous Registry Value in Windows 2000
  4. The "RestrictAnonymous" Registry Value May Break the Trust to a Windows 2000 Domain

To restore this entry to its default value, please perform the following instructions:

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Ole
  2. In the right panel, locate the entry:
    EnableDCOM = "N"
  3. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    EnableDCOM = "Y"
  4. Close Registry Editor.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete files detected as WORM_RBOT.CXS. To do this, Trend Micro customers must download the latest virus pattern file and scan their system. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

Applying Patches

This malware exploits known vulnerabilities. Download and install the following fix patches:

Refrain from using the affected software until the appropriate patch has been installed.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.