WORM_RBOT.DHN

Malware type: Worm

Aliases: Backdoor.Win32.Rbot.gen (Kaspersky), W32/Sdbot.worm (McAfee), W32.Spybot.Worm (Symantec), TR/Crypt.XPACK.Gen (Avira), W32/Rbot-GDC (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Infection Channel 1 : Propagates via network shares


Infection Channel 2 : Propagates via software vulnerabilities


Description: 

This worm arrives on a system as file dropped by other malware. It also typically arrives via network shares.

Upon execution, it drops a copy of itself named as ALSERV32.EXE in the Windows system folder.

It propagates across networks by dropping a copy of itself into accessible default network shares. It also uses a list of weak user names and passwords to gain access to an affected system.

For its propagation routine, this worm also takes advantage of known software vulnerabilities discussed in the following Web pages:

This worm also has backdoor capabilities. It opens random ports to connect to the IRC server tr.t4m3r.com. It then joins the IRC channel #nzm# to listen to commands issued by a remote malicious user. The said commands, which include downloading files and launching SYN or ICMP flood attacks, are executed locally on the affected system, thereby compromising system security.

Furthermore, it steals the Windows Product ID of the affected system. It also steals the license keys of several popular gaming applications, if found installed on the affected system.

For additional information about this threat, see:

Description created: Feb. 22, 2007 12:11:41 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  No

Size of malware: 224,256 Bytes

Ports used: Random

Initial samples received on: Feb 15, 2007

Vulnerability used:  (MS04-011) Security Update for Microsoft Windows (835732), (MS03-026) Buffer Overrun In RPC Interface Could Allow Code Execution, (MS03-039) Buffer Overrun In RPCSS Service Could Allow Code Execution

Payload 1: Compromises system security

Payload 2: Steals information

Payload 3: Disables services

Details:

Arrival and Autostart Technique

This worm arrives on a system as file dropped by other malware.

Upon execution, it drops a copy of itself named as ALSERV32.EXE in the Windows system folder.

It then creates the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
alserv32.exe = "%System%\alserv32.exe"

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

HKEY_CURRENT_USER\Software\Microsoft\OLE
Nod32 Service = "alserv32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices
Nod32 Service = "alserv32.exe"

Other System Modifications

This worm disables administrative shares by modifying the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanserver\parameters
AutoShareWks = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanserver\parameters
AutoShareServer = "0"

(Note: The default value data for the aforementioned registry entries is 0. Restoring these entries to their original value data has the same effect as deleting them.)

It also bypasses the Windows firewall by creating the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List
(Default) = ":*:Enabled:Nod32:0"

It also modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableDCOM = "N"

(Note: The default value data for the said registry entry is Y.)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA
RestrictAnonymous = "1"

(Note: The value for the said registry entry is user-defined.)

It also modifies the following registry entries to disable certain services:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\wscsvc
Start = "4"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\wuauserv
Start = "4"

(Note: The default value data for both entries is 2.)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess
Start = "4"

(Note: The default value data for the said entry is 3.)

Propagation via Network Shares and Software Vulnerabilities

This worm propagates across networks by dropping a copy of itself into accessible network shares.

It searches for the following network shares:

  • ADMIN$
  • C$
  • IPC$

It uses the followings list of weak user names and passwords to gain access to an affected system:

User Names

  • a
  • aaa
  • abc
  • admin
  • Administrador
  • Administrateur
  • administrator
  • asdf
  • Default
  • Dell
  • Gast
  • Guest
  • home
  • Inviter
  • login
  • mgmt
  • Owner
  • pc
  • qwer
  • Standard
  • temp
  • Test
  • User
  • win
  • x
  • xyz

Passwords

  • 0
  • 000000
  • 00000000
  • 007
  • 1
  • 110
  • 111
  • 111111
  • 11111111
  • 12
  • 121212
  • 123
  • 123123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 2002
  • 2003
  • 2600
  • 54321
  • 654321
  • 88888888
  • a
  • aaa
  • abc
  • abcd
  • Admin
  • administrator
  • alpha
  • asdf

It also takes advantage of known software vulnerabilities discussed in the following Web pages:

Backdoor Capabilities

This worm has backdoor capabilities. It opens random ports to connect to the IRC server tr.t4m3r.com and joins the IRC channel #nzm#. It then listen to commands issued by a remote malicious user. The commands are any of the following:

  • Disable the following network shares:
    • ADMIN$
    • C$
    • D$
    • IPC$
  • Download or execute a file
  • Join or leave IRC channel
  • Launch a SYN or ICMP flood attack
  • Obtain the following system information:
    • CPU speed
    • Current user
    • Malware uptime
    • Memory size
    • Windows platform, build version, and product ID
  • Send a private message through IRC
  • Terminate itself
  • Update itself

Information Theft Routine

This worm steals the Windows Product ID of the affected system. It also steals the license keys of the following popular gaming applications, if found installed on the affected system:

  • Battlefield 1942
  • Battlefield 1942 Road To Rome
  • Call of Duty
  • Command & Conquer Generals
  • Counter-Strike
  • FIFA 2003
  • Half-Life
  • Need For Speed Hot Pursuit 2
  • Neverwinter Nights
  • Project IGI 2
  • Rainbow Six III RavenShield
  • Soldier of Fortune II - Double Helix
  • Unreal Tournament 2003
Platforms Affected

This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Hazel Mariscal


SOLUTION


Minimum scan engine version needed: 8.000

Pattern file needed: 4.272.02


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Terminating the Malware Program

This procedure terminates the running malware process.

  1. Open Windows Task Manager.
    • On Windows 98 and ME, press
    CTRL%20ALT%20DELETE
    • On Windows NT, 2000, XP, and Server 2003, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the process:
    alserv32.exe
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process.

On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Editing the Registry

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Nod32 Service = �%System%\alserv32.exe�
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Runservices
  5. In the right panel, locate and delete the entry:
    Nod32 Service = �%System%\alserv32.exe�
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>OLE
  7. In the right panel, locate and delete the entry:
    Nod32 Service = �%System%\alserv32.exe�

Removing Registry Entries Related to Administrative Shares

This malware creates registry entries related to administrative shares. To know more about administrative shares, please refer to the following Microsoft Knowledge Base article:

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>lanmanserver>parameters
  2. In the left panel, locate and delete the following entries:
    • AutoShareWks = "0"
    • AutoShareServer = "0"
    (Note: The entries can either be deleted as described above or their value data can be set according to preference.)

Deleting/Restoring Other Registry Entries

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet>Services>
    SharedAccess>Parameters>FirewallPolicy>
    StandardProfile>AuthorizedApplications>List
  2. In the right panel, locate the and delete the entry:
    (Default) = ":*:Enabled:Nod32:0"
  3. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet> Services>wscsvc
  4. In the right panel, locate the entry:
    Start = "4"
  5. Right-click on the value name and choose Modify. Change the value data of this entry to:
    2
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet> Services>wuauserv
  7. In the right panel, locate the entry:
    Start = "4"
  8. Right-click on the value name and choose Modify. Change the value data of this entry to:
    2
  9. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet> Services>SharedAccess
  10. In the right panel, locate the entry:
    Start = "4"
  11. Right-click on the value name and choose Modify. Change the value data of this entry to:
    3

Restoring EnableDCOM and RestrictAnonymous Registry Entries

This malware modifies EnableDCOM and RestrictAnonymous registry entries to a certain value. To know more about restoring these registries to their original values, please refer to these articles:

  1. How to disable DCOM support in Windows
  2. How to Use the RestrictAnonymous Registry Value in Windows 2000
  3. The "RestrictAnonymous" Registry Value May Break the Trust to a Windows 2000 Domain

To restore this entry to its default value, please perform the following instructions:

  1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Ole
  2. In the right panel, locate the entry:
    EnableDCOM = "N"
  3. Right-click on the value name and choose Modify. Change the value data of this entry to:
    Y
  4. Close Registry Editor.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as WORM_RBOT.DHN. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

Applying Patches

Download and install the following patches supplied by Microsoft:

Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.