WORM_RBOT.VP

Malware type: Worm

Aliases: Backdoor.Win32.Rbot.gen, W32/Sdbot.worm.gen.bz, W32.Spybot.Worm, Worm/Rbot.89088.45, is a security risk named W32/Ircbot.PS, W32/Rbot-Gen, Trojan:Win32/Ircbrute!A497

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, XP, 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This memory-resident worm arrives and propagates through network shares. Upon execution, it drops a copy of itself as the file DEAMON.EXE in the Windows system folder. It may attempt to use its own list of user names and passwords to gain access and further propagate onto other shared folders.

It also takes advantage of the following Windows vulnerabilities to propagate:

  • IIS5/WEBDAV vulnerability
  • RPC/DCOM vulnerability
  • LSASS buffer overrun vulnerability
  • RPC Locator vulnerability

For more information regarding these vulnerabilities, please refer to the following Microsoft Web pages:

It also has backdoor capabilities. It comes with a built-in Internet Relay Chat (IRC) bot which allows it to connect to an IRC server. It then waits for commands from a remote user. Once connected, the remote user gains virtual control of the affected system.

Through this backdoor, the remote user can command the affected system to conduct distributed denial of service (DDoS) attacks, steal the CD keys from certain PC games, and other malicious actions.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:

Description created: Oct. 29, 2004 11:23:17 PM GMT -0800


TECHNICAL DETAILS


Size of malware: 94,795 Bytes (compressed)

Initial samples received on: Oct 30, 2004

Payload 1: Steals CD keys

Payload 2: Conducts Distributed denial of service (DDoS) attacks

Payload 3: Logs keystrokes

Payload 4: Compromises Network Security

Details:

Installation and Autostart Techniques

This worm arrives and propagates through network shares. Upon execution, it drops a copy of itself as the file DEAMON.EXE in the Windows system folder.

It creates the following registry entries to ensure it automatically executes during every Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Virtual CDROM = "DEAMON.EXE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices
Virtual CDROM = "DEAMON.EXE"

It adds itself to the Distributed COM�s default launch by creating the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Ole
Virtual CDROM = "DEAMON.EXE"

Propagation via Network Shares

This worm scans the network for other systems with weak passwords. It may attempt to use the following list of user names and passwords to gain access and further propagate onto other shared folders in the network:

  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • access
  • accounting
  • accounts
  • administrador
  • administrat
  • administrateur
  • administrator
  • admins
  • backup
  • bitch
  • blank
  • brian
  • changeme
  • chris
  • cisco
  • compaq
  • computer
  • control
  • database
  • databasepass
  • databasepassword
  • db1234
  • dbpass
  • dbpassword
  • default
  • domain
  • domainpass
  • domainpassword
  • exchange
  • george
  • guest
  • hello
  • homeuser
  • internet
  • intranet
  • katie
  • linux
  • login
  • loginpass
  • nokia
  • oeminstall
  • oemuser
  • office
  • oracle
  • orainstall
  • outlook
  • owner
  • pass1234
  • passwd
  • password
  • password1
  • peter
  • qwerty
  • server
  • siemens
  • sqlpassoainstall
  • staff
  • student
  • susan
  • system
  • teacher
  • technical
  • win2000
  • win2k
  • win98
  • windows
  • winnt
  • winpass
  • winxp
  • wwwadmin

Once login is successful, it drops and executes a copy of itself in the following shared folders:

  • Admin$\system32\
  • C$\Windows\system32
  • C$\WINNT\system32\

Exploits

This worm takes advantage of the following Windows vulnerabilities to propagate:

  • IIS5/WEBDAV vulnerability
  • RPC/DCOM vulnerability
  • LSASS buffer overrun vulnerability
  • RPC Locator vulnerability

For more information regarding these vulnerabilities, please refer to the following Microsoft Web pages:

Backdoor Routine

This worm also has backdoor capabilities. It comes with a built-in Internet Relay Chat (IRC) bot which allows it to connect to the IRC server will.soul-gate.net and the channel i#mel#. It uses the nick name MeLL-%random digits%. It then waits for commands from a remote user. Once connected, the remote user gains virtual control of the affected system.

(Note: %random digits% stand for random numbers generated by this worm.)

Through this backdoor routine, the remote user can then execute the following distributed denial of service (DDoS)attacks:

  • Ping flood attack
  • SYN flood attack
  • UDP flood attack

The remote user can also execute the following commands:

  • Capture screenshot
  • Clone the malware
  • Delete files
  • Download file via FTP
  • Download files
  • Kill processes
  • Kill threads
  • List processes
  • List shares in system
  • List threads
  • Locate files on target system
  • Perform distributed denial of service (DDoS) attacks
  • Retrieve CD keys of popular PC games
  • Retrieve network information
  • Scan for exploits
  • Send an email
  • Send files via the DCC IRC command
  • Start keylogging routine

This backdoor routine can work with the following version of mIRC:

  • [bx.75p1] linux 2.0.36 [embryonic.22b3]
  • AmIRC/AmigaOS 2.0.4
  • BitchX-1.0c18%20 by panasync - IRIX 6.5.10 Silicon Graphics
  • BitchX-1.0c19%20 by panasync - FreeBSD 4.10-BETA
  • BitchX-70alpha14%20tcl by panasync - Linux 2.0.27
  • BitchX-74p2%20 by panasync - CYGWIN32/95 4.0
  • BitchX-74p2%201.3f/SunOS 5.6
  • C%20%20 based IRC Client
  • Eggdrop 1.3.24i
  • eggdrop v1.6.13
  • eggdrop v1.6.15
  • HydraIRC v0.3.133-Test
  • ircII 2.8.2 SunOS 5.6 :ircii 2.8
  • ircII 2.9_base OSF1 V4.0 :ircii 2.8
  • ircII 2.9-BitchX-60 Linux 1.2.8
  • ircII EPIC4pre2 Linux 2.0.34
  • ircII EPIC4pre2 SunOS 5.6
  • Ircle 3.0b10
  • ircN 6.03 for mIRC
  • ircN 7.0rc.6 %20 7.0rc.5 %20 7.0rc.4 for mIRC
  • ircN 7.27 %20 7.0
  • irssi v0.8.4
  • JPilot IRC Java Client 2.32
  • mIRC v5.71 K.Mardam-Bey
  • mIRC v5.82 K.Mardam-Bey
  • mIRC v6.01 K.Mardam-Bey
  • mIRC v6.03 K.Mardam-Bey
  • mIRC v6.03 Khaled Mardam-Bey
  • mIRC v6.1 K.Mardam-Bey
  • mIRC v6.10 K.Mardam-Bey
  • mIRC v6.12 K.Mardam-Bey
  • mIRC v6.12 Khaled Mardam-Bey
  • mIRC v6.14 K.Mardam-Bey
  • mIRC32 v1.0 K .Mardam-Bey
  • mIRC32 v5.71 K.Mardam-Bey
  • mIRC32 v5.82 K.Mardam-Bey
  • mIRC32 v6.01 K.Mardam-Bey
  • mIRC32 v6.03 K.Mardam-Bey
  • mIRC32 v6.12 K.Mardam-Bey
  • osiris-1c/bitchx-75p1
  • Quarterdeck Global Chat 1.2.9 for Macintosh
  • StormBot.TCL 3.1.beta.2.10
  • WSIRC 2.03-R
  • xchat 1.8.10 Linux 2.4.25p1mp
  • xircon[b4]

Information Theft

This worm steals the CD keys of the following PC games, if they are installed on the system:

  • Battlefield 1942
  • Battlefield 1942 (Road To Rome)
  • Battlefield 1942 (Secret Weapons of WWII)
  • Battlefield Vietnam
  • Black and White
  • Chrome
  • Command and Conquer: Generals
  • Command and Conquer: Generals (Zero Hour)
  • Command and Conquer: Red Alert
  • Command and Conquer: Red Alert 2
  • Command and Conquer: Tiberian Sun
  • Counter-Strike
  • FIFA 2002
  • FIFA 2003
  • Freedom Force
  • Global Operations
  • Gunman Chronicles
  • Half-Life
  • Hidden & Dangerous 2
  • IGI 2: Covert Strike
  • Industry Giant 2
  • James Bond 007: Nightfire
  • Legends of Might and Magic
  • Medal of Honor: Allied Assault
  • Medal of Honor: Allied Assault: Breakthrough
  • Medal of Honor: Allied Assault: Spearhead
  • Microsoft Windows
  • Nascar Racing 2002
  • Nascar Racing 2003
  • Need For Speed Hot Pursuit 2
  • Need For Speed: Underground
  • Neverwinter Nights
  • Neverwinter Nights (Hordes of the Underdark)
  • Neverwinter Nights (Shadows of Undrentide)
  • NHL 2002
  • NHL 2003
  • Rainbow Six III RavenShield
  • Shogun: Total War: Warlord Edition
  • Soldier of Fortune II - Double Helix
  • Soldiers Of Anarchy
  • The Gladiators
  • Unreal Tournament 2003
  • Unreal Tournament 2004

It also uses a carnivore network sniffer to check for the following strings:

  • : auth
  • : login
  • :!auth
  • :!hashin
  • :!login
  • :!secure
  • :!syn
  • :$auth
  • :$hashin
  • :$login
  • :$syn
  • :%auth
  • :%hashin
  • :%login
  • :%syn
  • :&auth
  • :&login
  • :*auth
  • :*login
  • :,auth
  • :,login
  • :.auth
  • :.hashin
  • :.login
  • :.secure
  • :.syn
  • :/auth
  • :/login
  • :?auth
  • :?login
  • :@auth
  • :@login
  • :\auth
  • :\login
  • :~auth
  • :~login
  • :%20auth
  • :%20login
  • :=auth
  • :=login
  • :'auth
  • :-auth
  • :'login
  • :-login
  • CDKey
  • JOIN #
  • login
  • NICK
  • now an IRC Operator
  • OPER
  • oper
  • PASS
  • paypal
  • PAYPAL
  • paypal.com
  • PAYPAL.COM
  • Set-Cookie:
  • USER

Other Details

It is written using Microsoft Visual C%20%20. It is compressed by Morphine, and then again using UPX.






Analysis by: Zarestel Ferrer


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 2.228.00

Pattern release date: Oct 30, 2004


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please refer to the Trend Micro Damage Cleanup Engine and Template.

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE all files detected as WORM_RBOT.VP.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro�s free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    � On Windows 95, 98, and ME, press
    CTRL%20ALT%20DELETE
    � On Windows NT, 2000, and XP, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
    CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Virtual CDROM = "DEAMON.EXE"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
    CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    Virtual CDROM = "DEAMON.EXE"
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Ole
  7. In the right panel, locate and delete the entry:
    Virtual CDROM = "DEAMON.EXE"
  8. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_RBOT.VP. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Microsoft Windows. Download and install the following fix patches supplied by Microsoft:

Trend Micro advises users to download critical patches upon release by vendors.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.