WORM_RBOT.DMU

Malware type: Worm

Aliases: Backdoor.Win32.Rbot.gen (Kaspersky), W32/Sdbot.worm.gen.as (McAfee), W32.Spybot.Worm (Symantec), Worm/Rbot.117760.16 (Avira), Mal/Behav-134 (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Infection Channel 1 : Propagates via network shares


Infection Channel 2 : Propagates via software vulnerabilities


Description: 

This worm spreads through network shares. It searches for the said shares, where it drops a copy of itself. It also takes advantage of the following Windows vulnerabilities to propagate across networks:

  • Elevation of Privilege in SQL Server vulnerability
  • IIS/WEBDAV vulnerability
  • RPC/DCOM vulnerability
  • Windows LSASS vulnerability

For more information on the said vulnerabilities, refer to the following Microsoft Web pages:

This worm has backdoor capabilities. It opens a random port, and then connects to a remote Internet Relay Chat (IRC) server. It then joins a specific IRC channel, where it receives several commands from a remote malicious user.

It may also utilize the backdoor capabilities of variants of the following malware families to download copies of itself onto affected systems:

In addition, this worm is capable of terminating certain processes on the affected system.

It steals the Windows product ID and CD keys of certain game applications if installed on the affected system. It also uses a carnivore network sniffer that checks for certain strings in certain packets in order to retrieve passwords and other sensitive information.

For additional information about this threat, see:

Description created: Mar. 14, 2006 11:03:19 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 118,784 Bytes

Ports used: Random

Initial samples received on: Mar 1, 2006

Vulnerability used:  (MS04-011) Security Update for Microsoft Windows (835732), (MS03-007) Unchecked Buffer In Windows Component Could Cause Server Compromise (815021), (MS03-026) Buffer Overrun In RPC Interface Could Allow Code Execution, (MS02-061) Elevation of Privilege in SQL Server Web Tasks (Q316333)

Payload 1: Compromises system security

Payload 2: Terminates processes

Payload 3: Steals information

Details:

Installation and Autostart Technique

Upon execution, this worm drops and executes a copy of itself as MNSQ.EXE in the Windows system folder. It creates the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
Mi7sft sdce = "MNSQ.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Mi7sft sdce = "MNSQ.exe"

It also creates the following registry entry as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\OLE
Mi7sft sdce = "MNSQ.exe"

Other Registry Modifications

This worm disables the DCOM protocol and restricts anonymous access to the affected system by modifying the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableDCOM = "N"

(Note: The default value for this entry is "Y".)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa
restrictanonymous = "dword:00000001"

(Note: The value for this entry is user-defined.)

Propagation via Network Shares and Software Vulnerabilities

This worm spreads through network shares. It searches for the following shares, where it drops a copy of itself:

  • ADMIN$\system32
  • C$\Windows\system32
  • C$\WINNT\system32
  • IPC$

It takes advantage of the following Windows vulnerabilities to propagate across networks:

  • Elevation of Privilege in SQL Server vulnerability
  • IIS/WEBDAV vulnerability
  • RPC/DCOM vulnerability
  • Windows LSASS vulnerability

For more information on the said vulnerabilities, refer to the following Microsoft Web pages:

Backdoor Capabilities

This worm has backdoor capabilities. It opens a random port, and then connects to a remote Internet Relay Chat (IRC) server. It then joins a specific IRC channel, where it receives several commands from a remote malicious user. Some of the commands are the following:

  • Add or remove default network shares
  • Change IRC server and channel where it connects to
  • Delete files
  • Download and execute files
  • Emulate an FTP server
  • Flushes DNS cache
  • Log out the user
  • Perform the following flood attacks:
    • Ping Flood
    • SYN Flood
    • UDP Flood
  • Redirect connections
  • Retrieve system information, such as the following:
    • CPU speed
    • Free memory and disk space
    • System uptime
  • Scan local area network for listening ports
  • Shut down or restart the system

It may also utilize the backdoor capabilities of variants of the following malware families to download copies of itself onto affected systems:

Process Termination

This worm is capable of terminating the following processes running in memory:

  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • ACKWIN32.EXE
  • ADAWARE.EXE
  • ADVXDWIN.EXE
  • AGENTSVR.EXE
  • AGENTW.EXE
  • ALERTSVC.EXE
  • ALEVIR.EXE
  • ALOGSERV.EXE
  • AMON9X.EXE
  • ANTI-TROJAN.EXE
  • ANTIVIRUS.EXE
  • ANTS.EXE
  • APIMONITOR.EXE
  • APLICA32.EXE
  • APVXDWIN.EXE
  • ARR.EXE
  • ATCON.EXE
  • ATGUARD.EXE
  • ATRO55EN.EXE
  • ATUPDATER.EXE
  • ATWATCH.EXE
  • AU.EXE
  • AUPDATE.EXE
  • AUTO-PROTECT.NAV80TRY.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCC32.EXE
  • AVGCTRL.EXE
  • AVGNT.EXE
  • AVGSERV.EXE
  • AVGSERV9.EXE
  • AVGUARD.EXE
  • AVGW.EXE
  • AVKPOP.EXE
  • AVKSERV.EXE
  • AVKSERVICE.EXE
  • AVKWCTl9.EXE
  • AVLTMAIN.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVSYNMGR.EXE
  • AVWIN95.EXE
  • AVWINNT.EXE
  • AVWUPD.EXE
  • AVWUPD32.EXE
  • AVWUPSRV.EXE
  • AVXMONITOR9X.EXE
  • AVXMONITORNT.EXE
  • AVXQUAR.EXE
  • BACKWEB.EXE
  • BARGAINS.EXE
  • BD_PROFESSIONAL.EXE
  • BEAGLE.EXE
  • BELT.EXE
  • BIDEF.EXE
  • BIDSERVER.EXE
  • BIPCP.EXE
  • BIPCPEVALSETUP.EXE
  • BISP.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • BLSS.EXE
  • BOOTCONF.EXE
  • BOOTWARN.EXE
  • BORG2.EXE
  • BPC.EXE
  • BRASIL.EXE
  • BS120.EXE
  • BUNDLE.EXE
  • BVT.EXE
  • CCAPP.EXE
  • CCEVTMGR.EXE
  • CCPXYSVC.EXE
  • CDP.EXE
  • CFD.EXE
  • CFGWIZ.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • Claw95.EXE
  • CLAW95CF.EXE
  • CLEAN.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • CLEANPC.EXE
  • CLICK.EXE
  • CMD32.EXE
  • CMESYS.EXE
  • CMGRDIAN.EXE
  • CMON016.EXE
  • CONNECTIONMONITOR.EXE
  • CPD.EXE
  • CPF9X206.EXE
  • CPFNT206.EXE
  • CTRL.EXE
  • CV.EXE
  • CWNB181.EXE
  • CWNTDWMO.EXE
  • DATEMANAGER.EXE
  • DCOMX.EXE
  • DEFALERT.EXE
  • DEFSCANGUI.EXE
  • DEFWATCH.EXE
  • DEPUTY.EXE
  • DIVX.EXE
  • DLLCACHE.EXE
  • DLLREG.EXE
  • DOORS.EXE
  • DPF.EXE
  • DPFSETUP.EXE
  • DPPS2.EXE
  • DRWATSON.EXE
  • DRWEB32.EXE
  • DRWEBUPW.EXE
  • DSSAGENT.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • ECENGINE.EXE
  • EFPEADM.EXE
  • EMSW.EXE
  • ENT.EXE
  • ESAFE.EXE
  • ESCANH95.EXE
  • ESCANHNT.EXE
  • ESCANV95.EXE
  • ESPWATCH.EXE
  • ETHEREAL.EXE
  • ETRUSTCIPE.EXE
  • EVPN.EXE
  • EXANTIVIRUS-CNET.EXE
  • EXE.AVXW.EXE
  • EXPERT.EXE
  • EXPLORE.EXE
  • F-AGNT95.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • F-STOPW.EXE
  • FAMEH32.EXE
  • FAST.EXE
  • FCH32.EXE
  • FIH32.EXE
  • FINDVIRU.EXE
  • FIREWALL.EXE
  • FLOWPROTECTOR.EXE
  • FNRB32.EXE
  • FP-WIN.EXE
  • FP-WIN_TRIAL.EXE
  • FPROT.EXE
  • FRW.EXE
  • FSAA.EXE
  • FSAV.EXE
  • FSAV32.EXE
  • FSAV530STBYB.EXE
  • FSAV530WTBYB.EXE
  • FSAV95.EXE
  • FSGK32.EXE
  • FSM32.EXE
  • FSMA32.EXE
  • FSMB32.EXE
  • GATOR.EXE
  • GBMENU.EXE
  • GBPOLL.EXE
  • GENERICS.EXE
  • GMT.EXE
  • GUARD.EXE
  • GUARDDOG.EXE
  • HACKTRACERSETUP.EXE
  • HBINST.EXE
  • HBSRV.EXE
  • HOTACTIO.EXE
  • HOTPATCH.EXE
  • HTLOG.EXE
  • HTPATCH.EXE
  • HWPE.EXE
  • HXDL.EXE
  • HXIUL.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IAMSTATS.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IDLE.EXE
  • IEDLL.EXE
  • IEDRIVER.EXE
  • IEXPLORER.EXE
  • IFACE.EXE
  • IFW2000.EXE
  • INETLNFO.EXE
  • INFUS.EXE
  • INFWIN.EXE
  • INIT.EXE
  • INTDEL.EXE
  • INTREN.EXE
  • IOMON98.EXE
  • IPARMOR.EXE
  • IRIS.EXE
  • ISASS.EXE
  • ISRV95.EXE
  • ISTSVC.EXE
  • JAMMER.EXE
  • JDBGMRG.EXE
  • JEDI.EXE
  • KAVLITE40ENG.EXE
  • KAVPERS40ENG.EXE
  • KAVPF.EXE
  • KAZZA.EXE
  • KEENVALUE.EXE
  • KERIO-PF-213-EN-WIN.EXE
  • KERIO-WRL-421-EN-WIN.EXE
  • KERIO-WRP-421-EN-WIN.EXE
  • KERNEL32.EXE
  • KILLPROCESSSETUP161.EXE
  • LAUNCHER.EXE
  • LDNETMON.EXE
  • LDPRO.EXE
  • LDPROMENU.EXE
  • LDSCAN.EXE
  • LNETINFO.EXE
  • LOADER.EXE
  • LOCALNET.EXE
  • LOCKDOWN.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LORDPE.EXE
  • LSETUP.EXE
  • LUALL.EXE
  • LUAU.EXE
  • LUCOMSERVER.EXE
  • LUINIT.EXE
  • LUSPT.EXE
  • MAPISVC32.EXE
  • MCAGENT.EXE
  • MCMNHDLR.EXE
  • MCSHIELD.EXE
  • MCTOOL.EXE
  • MCUPDATE.EXE
  • MCVSRTE.EXE
  • MCVSSHLD.EXE
  • MD.EXE
  • MFIN32.EXE
  • MFW2EN.EXE
  • MFWENG3.02D30.EXE
  • MGAVRTCL.EXE
  • MGAVRTE.EXE
  • MGHTML.EXE
  • MGUI.EXE
  • MINILOG.EXE
  • MMOD.EXE
  • MONITOR.EXE
  • MOOLIVE.EXE
  • MOSTAT.EXE
  • MPFAGENT.EXE
  • MPFSERVICE.EXE
  • MPFTRAY.EXE
  • MRFLUX.EXE
  • MSAPP.EXE
  • MSBB.EXE
  • MSBLAST.EXE
  • MSCACHE.EXE
  • MSCCN32.EXE
  • MSCMAN.EXE
  • MSCONFIG.EXE
  • MSDM.EXE
  • MSDOS.EXE
  • MSIEXEC16.EXE
  • MSINFO32.EXE
  • MSLAUGH.EXE
  • MSMGT.EXE
  • MSMSGRI32.EXE
  • MSSMMC32.EXE
  • MSSYS.EXE
  • MSVXD.EXE
  • MU0311AD.EXE
  • MWATCH.EXE
  • N32SCANW.EXE
  • NAV.EXE
  • NAVAP.NAVAPSVC.EXE
  • NAVAPSVC.EXE
  • NAVAPW32.EXE
  • NAVDX.EXE
  • NAVENGNAVEX15.NAVLU32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVSTUB.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NC2000.EXE
  • NCINST4.EXE
  • NDD32.EXE
  • NEOMONITOR.EXE
  • NEOWATCHLOG.EXE
  • NETARMOR.EXE
  • NETD32.EXE
  • NETINFO.EXE
  • NETMON.EXE
  • NETSCANPRO.EXE
  • NETSPYHUNTER-1.2.EXE
  • NETSTAT.EXE
  • NETUTILS.EXE
  • NISSERV.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NOD32.EXE
  • NORMIST.EXE
  • NORTON_INTERNET_SECU_3.0_407.EXE
  • NOTSTART.EXE
  • NPF40_TW_98_NT_ME_2K.EXE
  • NPFMESSENGER.EXE
  • NPROTECT.EXE
  • NPSCHECK.EXE
  • NPSSVC.EXE
  • NSCHED32.EXE
  • NSSYS32.EXE
  • NSTASK32.EXE
  • NSUPDATE.EXE
  • NT.EXE
  • NTRTSCAN.EXE
  • NTVDM.EXE
  • NTXconfig.EXE
  • NUI.EXE
  • NUPGRADE.EXE
  • NVARCH16.EXE
  • NVC95.EXE
  • NVSVC32.EXE
  • NWINST4.EXE
  • NWSERVICE.EXE
  • NWTOOL16.EXE
  • OLLYDBG.EXE
  • ONSRVR.EXE
  • OPTIMIZE.EXE
  • OSTRONET.EXE
  • OTFIX.EXE
  • OUTPOST.EXE
  • OUTPOSTINSTALL.EXE
  • OUTPOSTPROINSTALL.EXE
  • PADMIN.EXE
  • PANIXK.EXE
  • PATCH.EXE
  • PAVCL.EXE
  • PAVPROXY.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCC2002S902.EXE
  • PCC2K_76_1436.EXE
  • PCCIOMON.EXE
  • PCCNTMON.EXE
  • PCCWIN97.EXE
  • PCCWIN98.EXE
  • PCDSETUP.EXE
  • PCFWALLICON.EXE
  • PCIP10117_0.EXE
  • PCSCAN.EXE
  • PDSETUP.EXE
  • PENIS.EXE
  • PERISCOPE.EXE
  • PERSFW.EXE
  • PERSWF.EXE
  • PF2.EXE
  • PFWADMIN.EXE
  • PGMONITR.EXE
  • PINGSCAN.EXE
  • PLATIN.EXE
  • POP3TRAP.EXE
  • POPROXY.EXE
  • POPSCAN.EXE
  • PORTDETECTIVE.EXE
  • PORTMONITOR.EXE
  • POWERSCAN.EXE
  • PPINUPDT.EXE
  • PPTBC.EXE
  • PPVSTOP.EXE
  • PRIZESURFER.EXE
  • PRMT.EXE
  • PRMVR.EXE
  • PROCDUMP.EXE
  • PROCESSMONITOR.EXE
  • PROCEXPLORERV1.0.EXE
  • PROGRAMAUDITOR.EXE
  • PROPORT.EXE
  • PROTECTX.EXE
  • PSPF.EXE
  • PURGE.EXE
  • PUSSY.EXE
  • PVIEW95.EXE
  • QCONSOLE.EXE
  • QSERVER.EXE
  • RAPAPP.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • RAV8WIN32ENG.EXE
  • RAY.EXE
  • RB32.EXE
  • RCSYNC.EXE
  • REALMON.EXE
  • REGED.EXE
  • REGEDIT.EXE
  • REGEDT32.EXE
  • RESCUE.EXE
  • RESCUE32.EXE
  • RRGUARD.EXE
  • RSHELL.EXE
  • RTVSCAN.EXE
  • RTVSCN95.EXE
  • RULAUNCH.EXE
  • RUN32DLL.EXE
  • RUNDLL.EXE
  • RUNDLL16.EXE
  • RUXDLL32.EXE
  • SAFEWEB.EXE
  • SAHAGENT.EXE
  • SAVE.EXE
  • SAVENOW.EXE
  • SBSERV.EXE
  • SC.EXE
  • SCAM32.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SCRSVR.EXE
  • SCVHOST.EXE
  • SD.EXE
  • SERV95.EXE
  • SERVICE.EXE
  • SERVLCE.EXE
  • SERVLCES.EXE
  • SETUP_FLOWPROTECTOR_US.EXE
  • SETUPVAMEEVAL.EXE
  • SFC.EXE
  • SGSSFW32.EXE
  • SH.EXE
  • SHELLSPYINSTALL.EXE
  • SHN.EXE
  • SHOWBEHIND.EXE
  • SMC.EXE
  • SMS.EXE
  • SMSS32.EXE
  • SOAP.EXE
  • SOFI.EXE
  • SPERM.EXE
  • SPF.EXE
  • SPHINX.EXE
  • SPOLER.EXE
  • SPOOLCV.EXE
  • SPOOLSV32.EXE
  • SPYXX.EXE
  • SREXE.EXE
  • SRNG.EXE
  • SS3EDIT.EXE
  • SSG_4104.EXE
  • SSGRATE.EXE
  • ST2.EXE
  • START.EXE
  • STCLOADER.EXE
  • SUPFTRL.EXE
  • SUPPORT.EXE
  • SUPPORTER5.EXE
  • SVC.EXE
  • SVCHOSTC.EXE
  • SVCHOSTS.EXE
  • SVSHOST.EXE
  • SWEEP95.EXE
  • SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
  • SYMPROXYSVC.EXE
  • SYMTRAY.EXE
  • SYSEDIT.EXE
  • SYSTEM.EXE
  • SYSTEM32.EXE
  • SYSUPD.EXE
  • TASKMG.EXE
  • TASKMO.EXE
  • TASKMON.EXE
  • TAUMON.EXE
  • TBSCAN.EXE
  • TC.EXE
  • TCA.EXE
  • TCM.EXE
  • TDS-3.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • TEEKIDS.EXE
  • TFAK.EXE
  • TFAK5.EXE
  • TGBOB.EXE
  • TITANIN.EXE
  • TITANINXP.EXE
  • TRACERT.EXE
  • TRICKLER.EXE
  • TRJSCAN.EXE
  • TRJSETUP.EXE
  • TROJANTRAP3.EXE
  • TSADBOT.EXE
  • TVMD.EXE
  • TVTMD.EXE
  • UNDOBOOT.EXE
  • UPDAT.EXE
  • UPDATE.EXE
  • UPGRAD.EXE
  • UTPOST.EXE
  • VBCMSERV.EXE
  • VBCONS.EXE
  • VBUST.EXE
  • VBWIN9X.EXE
  • VBWINNTW.EXE
  • VCSETUP.EXE
  • VET32.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VFSETUP.EXE
  • VIR-HELP.EXE
  • VIRUSMDPERSONALFIREWALL.EXE
  • VNLAN300.EXE
  • VNPC3000.EXE
  • VPC32.EXE
  • VPC42.EXE
  • VPFW30S.EXE
  • VPTRAY.EXE
  • VSCAN40.EXE
  • VSCENU6.02D30.EXE
  • VSCHED.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSISETUP.EXE
  • VSMAIN.EXE
  • VSMON.EXE
  • VSSTAT.EXE
  • VSWIN9XE.EXE
  • VSWINNTSE.EXE
  • VSWINPERSE.EXE
  • W32DSM89.EXE
  • W9X.EXE
  • WATCHDOG.EXE
  • WEBDAV.EXE
  • WEBSCANX.EXE
  • WEBTRAP.EXE
  • WFINDV32.EXE
  • WGFE95.EXE
  • WHOSWATCHINGME.EXE
  • WIMMUN32.EXE
  • WIN-BUGSFIX.EXE
  • WIN32.EXE
  • WIN32US.EXE
  • WINACTIVE.EXE
  • WINDOW.EXE
  • WINDOWS.EXE
  • WININETD.EXE
  • WININIT.EXE
  • WININITX.EXE
  • WINLOGIN.EXE
  • WINMAIN.EXE
  • WINNET.EXE
  • WINPPR32.EXE
  • WINRECON.EXE
  • WINSERVN.EXE
  • WINSSK32.EXE
  • WINSTART.EXE
  • WINSTART001.EXE
  • WINTSK32.EXE
  • WINUPDATE.EXE
  • WKUFIND.EXE
  • WNAD.EXE
  • WNT.EXE
  • WRADMIN.EXE
  • WRCTRL.EXE
  • WSBGATE.EXE
  • WUPDATER.EXE
  • WUPDT.EXE
  • WYVERNWORKSFIREWALL.EXE
  • XPF202EN.EXE
  • ZAPRO.EXE
  • ZAPSETUP3001.EXE
  • ZATUTOR.EXE
  • ZONALM2601.EXE
  • ZONEALARM.EXE

Information Theft

This worm steals the Windows product ID and CD keys of the following game applications if installed on the affected system:

  • Battlefield 1942
  • Battlefield 1942 (Road To Rome)
  • Battlefield 1942 (Secret Weapons of WWII)
  • Battlefield Vietnam
  • Black and White
  • Chrome
  • Command and Conquer: Generals
  • Command and Conquer: Generals (Zero Hour)
  • Command and Conquer: Red Alert
  • Command and Conquer: Red Alert 2
  • Command and Conquer: Tiberian Sun
  • Counter-Strike (Retail)
  • FIFA 2002
  • FIFA 2003
  • Freedom Force
  • Global Operations
  • Gunman Chronicles
  • Half-Life
  • Hidden & Dangerous 2
  • IGI 2: Covert Strike
  • Industry Giant 2
  • James Bond 007: Nightfire
  • Legends of Might and Magic
  • Medal of Honor: Allied Assault
  • Medal of Honor: Allied Assault: Breakthrough
  • Medal of Honor: Allied Assault: Spearhead
  • Nascar Racing 2002
  • Nascar Racing 2003
  • Need for Speed Hot Pursuit 2
  • Need for Speed: Underground
  • Neverwinter Nights
  • Neverwinter Nights (Hordes of the Underdark)
  • Neverwinter Nights (Shadows of Undrentide)
  • NHL 2002
  • NHL 2003
  • Rainbow Six III RavenShield
  • Shogun: Total War: Warlord Edition
  • Soldier of Fortune II - Double Helix
  • Soldiers of Anarchy
  • The Gladiators
  • Unreal Tournament 2003
  • Unreal Tournament 2004

It also uses a carnivore network sniffer that checks for the following strings in certain packets in order to retrieve passwords and other sensitive information:

  • : auth
  • : login
  • :!auth
  • :!hashin
  • :!login
  • :!secure
  • :!syn
  • :$auth
  • :$hashin
  • :$login
  • :$syn
  • :%auth
  • :%hashin
  • :%login
  • :%syn
  • :&auth
  • :&login
  • :'auth
  • :'login
  • :*auth
  • :*login
  • :%20auth
  • :%20login
  • :,auth
  • :,login
  • :-auth
  • :-login
  • :.auth
  • :.hashin
  • :.login
  • :.secure
  • :.syn
  • :/auth
  • :/login
  • :=auth
  • :=login
  • :?auth
  • :?login
  • :@auth
  • :@login
  • :\auth
  • :\login
  • :~auth
  • :~login
  • CDKey
  • JOIN #
  • login
  • NICK
  • now an IRC Operator
  • oper
  • PASS
  • paypal
  • PAYPAL.COM
  • Set-Cookie:
  • USER

Affected Platforms

This worm runs on Windows NT, 2000, XP, and Server 2003.

Analysis By: Robellen Ferreras Navelgas


SOLUTION


Minimum scan engine version needed: 7.000

Pattern file needed: 3.244.02

Pattern release date: Mar 2, 2006


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your computer with your Trend Micro antivirus product.
  2. NOTE the path and file name of all files detected as WORM_RBOT.DMU.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

If the process you are looking for is not in the list displayed by Task Manager, proceed to the succeeding solution set.

  1. Open Windows Task Manager. Press CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Editing the Registry

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  3. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  3. In the right panel, locate and delete the entry:
    Mi7sft sdce = "MNSQ.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  5. In the right panel, locate and delete the entry:
    Mi7sft sdce = "MNSQ.exe"

Removing Other Entry from the Registry

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_CURRENT_USER>SOFTWARE>Microsoft>Ole
  2. In the right panel, locate and delete the entry:
    Mi7sft sdce = "MNSQ.exe"

Restoring EnableDCOM and RestrictAnonymous Registry Entries

This malware modifies EnableDCOM and RestrictAnonymous registry entries to a certain value. To know more about restoring these registries to their original values, please refer to these articles:

  1. COM security frequently asked questions
  2. How to disable DCOM support in Windows
  3. How to Use the RestrictAnonymous Registry Value in Windows 2000
  4. The "RestrictAnonymous" Registry Value May Break the Trust to a Windows 2000 Domain

To restore this entry to its default value, please perform the following instructions:

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Ole
  2. In the right panel, locate the entry:
    EnableDCOM = "N"
  3. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    EnableDCOM = "Y"
  4. Close Registry Editor.

Important Windows XP Cleaning Instructions

Users running Windows XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as WORM_RBOT.DMU. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Windows. Download and install the following fix patches supplied by Microsoft:

Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.

(*Note: The fix patch found in Microsoft Security Bulletin MS03-039 overrides the fix patch in Microsoft Security Bulletin MS03-026 and covers additional vulnerabilities. Thus, affected users, even those who have already applied MS03-026 to their respective machines, are advised to download this updated patch.)




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.