WORM_RBOT.YN

Malware type: Worm

Aliases: Backdoor.Win32.Rbot.bho (Kaspersky), W32/Sdbot.worm.gen.ca (McAfee), W32.Spybot.Worm (Symantec), Worm/Rbot.1247232 (Avira), W32/Rbot-FLZ (Sophos), Backdoor:Win32/Rbot (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm exploits certain vulnerabilities to propagate across networks. It takes advantage of the following Windows vulnerabilities:

  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • IIS5/WEBDAV Buffer Overflow vulnerability
  • RPC Locator vulnerability
  • LSASS vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

It attempts to log on to systems using the administrator account and a list of passwords. This worm then drops a copy of itself in accessed machines.

It steals CD keys and product IDs of certain applications. It then sends gathered data to a remote user via mIRC, a chat application. This worm also has backdoor capabilities and may execute remote commands on the host machine.

It also launches a distributed denial of service (DDoS) attack using several flood methods.

It runs on Windows 98, ME, NT, 2000, and XP.

For additional information about this threat, see:

Description created: Nov. 16, 2004 8:49:31 AM GMT -0800
Description updated: Nov. 16, 2004 8:56:34 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 180,224 Bytes

Initial samples received on: Nov 16, 2004

Payload 1: Compromises network security

Details:

Installation and Autostart

Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder using the following file name:

    MCAFEEUPDATE.EXE

It creates the following registry entries, which enable it to run automatically at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Sygate Personal Firewall = "MCAFEEUPDATE.EXE"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Runservices
Sygate Personal Firewall = "MCAFEEUPDATE.EXE"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Sygate Personal Firewall = "MCAFEEUPDATE.EXE"

HKEY_USERS\.DEFAULT\Software\Microsoft\
Windows\CurrentVersion\Run
Sygate Personal Firewall = "MCAFEEUPDATE.EXE"

It also modifies the following registry entries:

FROM:

HKEY_LOCAL_MACHINE\Software\Microsoft\Ole EnableDCOM = "Y"

TO:

HKEY_LOCAL_MACHINE\Software\Microsoft\Ole EnableDCOM = "N"

(Note: The original entry of this registry key is EnableDCOM = "Y" instead of EnableDCOM = "n".)

FROM:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\Lsa
restrictanonymous = "dword:00000000"

TO:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\Lsa
restrictanonymous = "dword:00000001"

(Note: The original entry of this registry key is restrictanonymous = "dword:00000000" instead of restrictanonymous = "dword:00000001".)

The said modifications restrict the accessibility of the system to users.

Network Propagation

This worm searches for the following default shares:

  • ADMIN$
  • C$
  • D$

If it has full access rights, it drops copies of itself in to the said shares. If the shared folders are restricted, however, this worm attempts to gain entry into a system by logging on using the administrator account and a harcoded list of passwords.

Backdoor Capabilities

This worm acts as a server program controlled by an Internet Relay Chat (IRC) bot. It connects to an IRC server and then joins an IRC channel.

Once connected, this server program receives commands from the IRC bot. The bot inputs the commands in the IRC console and waits to receive information from the server. The said commands are used to control the target system and the behavior of the server program. These commands are basically categorized as follows:

  • Bot commands (used to control the server program)
    • Display the information about the bot
    • Terminate the bot
    • Resolve IP/hostname by DNS
    • Make the bot execute a .EXE file
    • Display the bot version or ID
    • Change the nickname of the bot
    • Open any file that is a registered file type
    • Completely remove the bot from the system
    • Remove a bot using a specific bot ID
    • Assign a new random nickname to the bot
    • Cause the bot to display its status
    • Cause the bot to display system information
    • Cause the bot to quit IRC and terminate itself
    • Repeat a command for a specified number of times

  • Command Manager commands (used to control commands)
    • Display the list of commands

  • CVAR commands (used to control the IRC CVAR, which refers to IRC default variables that allows users to change settings)
    • List Cvars
    • Display the value of a Cvar
    • Set the value of a Cvar

  • IRC commands (used to control the behavior of the IRC application)
    • Make the bot send an action message to the channel
    • Make the bot reply the network information if the hostname contains the string .edu
    • Make the bot reply the network information if the hostname contains a specified string
    • Make the bot join an IRC channel
    • Make the bot part an IRC channel
    • Cause the bot to display network information
    • Send a private message to the target
    • Make the bot quit from IRC
    • Make the bot send a raw string to the IRC server
    • Make the bot reconnect to IRC
    • Make the bot change the server Cvars
    • Make the bot change IRC modes

  • Mac commands (used by the bot to connect to its server component using a bot user)
    • Log on a user to the bot
    • Log off a user from the bot

  • Redirect commands (used by the bot to control the traffic that passes to the infected system)
    • Redirect a TCP port to another host
    • Redirect GRE traffic that results to proxy PPTP VPN connections
    • Stop all redirects

  • Downloader commands (used to download and execute files from a specific protocol)
    • Make the bot download a file from an FTP site to a specified local folder
    • Make the bot download and execute a file from an FTP site on a specified local folder
    • Make the bot download a file from FTP to a specified local folder and update it if the files are different
    • Make the bot download a file from HTTP site to a specified local folder
    • Make the bot download and execute a file from HTTP site on a specified local folder
    • Make the bot download a file from HTTP to a specified local folder and update it if the files are different

Windows Exploits

To propagate, this worm takes advantage of the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of an affected system. For more information regarding this vulnerability, please refer to the following Microsoft page:

It also takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows systems, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

Read more on this vulnerability from the following link:

This worm looks for vulnerable Windows machines on the network by scanning for random TCP/IP addresses on port 135.

It further uses the RPC Locator vulnerability which affects Windows NT systems and searches for vulnerable Windows NT-based machines on the network by incrementally scanning TCP/IP addresses on port 445.

More information on this vulnerability is available from the following Microsoft page:

This worm also exploits the IIS5/WEBDAV buffer overrun exploit affecting Windows platforms, which enables arbitrary codes to execute on the server. This exploit is a service related to HTTP (HyperText Transfer Protocol) on port 80.

The following link offers more information from Microsoft about this vulnerability:

This worm scans the network for vulnerable systems and notifies the bot with the vulnerable system's IP address. Using Class B subnet and the infected system's IP address, it generates random IP addresses and tests the system for vulnerability.

Denial of Service

This worm is able to perform DDoS (distributed denial of service) attacks using the following flood methods:

  • HTTP flood
  • UPD flood
  • SYN flood
  • Ping flood

Information Theft

This worm is also capable of gathering CD keys, serial numbers, and even application product IDs. It steals this information from the following software products installed in the system:

  • Battlefield 1942
  • Battlefield 1942 (Road To Rome)
  • Battlefield 1942 (Secret Weapons of WWII)
  • Battlefield Vietnam
  • Black and White
  • Chrome
  • Command and Conquer: Generals
  • Command and Conquer: Generals (Zero Hour)
  • Command and Conquer: Red Alert
  • Command and Conquer: Red Alert 2
  • Command and Conquer: Tiberian Sun
  • Counter-Strike (Retail)
  • FIFA 2002
  • FIFA 2003
  • Freedom Force
  • Global Operations
  • Gunman Chronicles
  • Half-Life
  • Hidden & Dangerous 2
  • IGI 2: Covert Strike
  • Industry Giant 2
  • James Bond 007: Nightfire
  • Legends of Might and Magic
  • Medal of Honor: Allied Assault
  • Medal of Honor: Allied Assault: Breakthrough
  • Medal of Honor: Allied Assault: Spearhead
  • Microsoft Windows Product ID
  • Nascar Racing 2002
  • Nascar Racing 2003
  • Need For Speed Hot Pursuit 2
  • Need For Speed: Underground
  • Neverwinter Nights (Hordes of the Underdark)
  • NHL 2002
  • NHL 2003
  • Rainbow Six III RavenShield
  • Shogun: Total War: Warlord Edition
  • Soldier of Fortune II - Double Helix
  • Soldiers Of Anarchy
  • The Gladiators
  • The Gladiators
  • Unreal Tournament 2003
  • Unreal Tournament 2004

Other Details

This worm is written in Visual C%20%20.




Analysis by: Rodelito Mendrez

Revision History:

First pattern file version: 2.250.05
First pattern file release date: Nov 16, 2004

SOLUTION


Minimum scan engine version needed: 7.500

Pattern file needed: 3.700.03

Pattern release date: Aug 29, 2006


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Services.

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process.

  1. Open Windows Task Manager.
    On Windows 98, and ME, press
    CTRL%20ALT%20DELETE
    On Windows NT, 2000, and XP, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the process:
    MCAFEEUPDATE.EXE
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.
*NOTE: On systems running Windows 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Sygate Personal Firewall = "MCAFEEUPDATE.EXE"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    Sygate Personal Firewall = "MCAFEEUPDATE.EXE"
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  7. In the right panel, locate and delete the entry:
    Sygate Personal Firewall = "MCAFEEUPDATE.EXE"
  8. In the left panel, double-click the following:
    HKEY_CURRENT_USER>.DEFAULT>Software>Microsoft>
    Windows>CurrentVersion>Run
  9. In the right panel, locate and delete the entry:
    Sygate Personal Firewall = "MCAFEEUPDATE.EXE"

Removing Other Malware Entries from the Registry

  1. Still in the Registry Editor in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Ole
  2. Still in the left panel, change the entry:
    EnableDCOM = "N"
    to
    EnableDCOM = "Y"
  3. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Restoring EnableDCOM and RestrictAnonymous registry entries

This malware modifies EnableDCOM and RestrictAnonymous registry entries to a certain value. To know more about restoring these registries to their original values, please refer to these articles:

  1. COM security frequently asked questions
  2. How to disable DCOM support in Windows
  3. How to Use the RestrictAnonymous Registry Value in Windows 2000
  4. The "RestrictAnonymous" Registry Value May Break the Trust to a Windows 2000 Domain

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_RBOT.YN. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Windows. Download and install the fix patch supplied by Microsoft in the following pages:

Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.