WORM_RBOT.RG

Malware type: Worm

Aliases: Backdoor.Win32.PoeBot.a (Kaspersky), W32/Sdbot.worm (McAfee), W32.Linkbot.A (Symantec), Worm/SdBot.140288.6 (Avira), W32/Rbot-RG (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows NT, 2000 , XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This memory-resident worm spreads through network shares and attempts to access machines using a long list of user names and passwords.

It takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) Vulnerability, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

For more information about the said Windows vulnerability, please refer to the following Microsoft Web page:

It also has backdoor capabilities. It opens port 5917 and connects to an Internet Relay Chat (IRC) server. It then joins an IRC channel, where it receives several malicious commands. It also terminates processes and steals Windows product ID as well as the CD keys of certain game applications.

This worm is written in Visual C%20%20, a high-level programming language.

It runs on Windows NT, 2000, and XP.

For additional information about this threat, see:

Description created: Sep. 5, 2004 11:25:26 AM GMT -0800
Description updated: Sep. 6, 2004 11:25:21 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 78,381 Bytes

Initial samples received on: Aug 27, 2004

Payload 1: Compromises system security

Trigger condition 1: Upon execution

Payload 2: Steals CD game keys

Trigger condition 1: Upon execution

Payload 3: Terminates certain processes

Trigger condition 1: Upon execution

Details:

Installation and Autostart Techniques

Upon execution, this memory-resident worm drops a copy of itself as the file DLLMANGER.EXE in the Windows system folder.

It adds the following registry entries to ensure automatic execution at every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft Connection Manager = �dllmanger.exe�

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Microsoft Connection Manager = �dllmanger.exe�

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft Connection Manager = �dllmanger.exe�

Exploits and Network Propagation

This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

Read more on this vulnerability from the following link:

When it finds a vulnerable target machine, it copies and executes itself on the system.

It searches for and accesses network shares. If the network shares allow full access rights, it drops a copy of itself on the said shared folders. If the network shares allow restricted rights, however, it uses a list of user names and passwords to force its way into target systems.

Backdoor Capabilities

This worm also has backdoor capabilities.

It opens port 5917 and connects to the Internet Relay Chat (IRC) server with the IP address 216.248.6.38. It then joins an IRC channel, where it listens for commands from a remote user.

It acts as a bot that responds to private messages with specific keyword triggers. The following are the corresponding actions it performs:

Information Theft

This worm steals the Windows product ID as well as the CD keys of the following popular game applications:

Process Termination

This worm also terminates the following processes:

Other Details

In its decompressed code, this worm contains the following strings:

�[rxBot v0.6.6a - lsass%20Optix Masterpass OWN4G3 by Nubela�

�0hmag0d!�

It works on the following versions of mIRC application:

  • mIRC v6.15 Khaled Mardam-Bey
  • mIRC v6.14 Khaled Mardam-Bey



Analysis by: Reuel A. Morales


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 2.163.20

Pattern release date: Aug 27, 2004


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Terminating the Malware Program

This procedure terminates the running malware process.

  1. Open Windows Task Manager. To do this, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the process:
    DLLMANGER.EXE
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Microsoft Connection Manager = �dllmanger.exe�
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    Microsoft Connection Manager = �dllmanger.exe�
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  7. In the right panel, locate and delete the entry:
    Microsoft Connection Manager = �dllmanger.exe�
  8. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_RBOT.RG. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.

Applying Patches

This malware exploits a known vulnerability in Windows. Download and install the necessary fix patch. Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors from the following link:




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.