W32/RBot.AHL!tr.bdr

Visible Symptoms

• The file waauclt.exe  exists in the System folder.

Detailed Analysis

• Creates a mutex named waauclt  to make sure that there is only one instance of the worm running.
  
  
• Copies itself to the System folder as waauclt.exe.
  
  
  Autostart Mechanism
  
  
• Adds the following value:

  *wuauclt = "waauclt.exe"

  to the following subkeys:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

  
  Network Propagation
  
  
• Drops a copy of itself in network shared folders. If the share is protected by a password, it attempts to connect to it using the following user names and passwords:
  
  User Names:
  
  
  • administrator
  • administrador
  • administrateur
  • administrat
  • admins"
  • admin
  • staff
  • root
  • computer
  • owner
  • student
  • teacher
  • wwwadmin
  • guest
  • default
  • databas
  • dba
  • oracle
  • db2
  
  Passwords:
  
  
  • administrator
  • administrador
  • administrateur
  • administrat
  • admins
  • admin
  • adm
  • password1
  • password
  • passwd
  • pass1234
  • pass
  • pwd
  • 007
  • 1
  • 12
  • 123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 2000
  • 2001
  • 2002
  • 2003
  • 2004
  • test
  • guest
  • none
  • demo
  • unix
  • linux
  • changeme
  • default
  • system
  • server
  • root
  • null
  • qwerty
  • mail
  • outlook
  • web
  • www
  • internet
  • accounts
  • accounting
  • home
  • homeuser
  • user
  • oemuser
  • oeminstall
  • windows
  • win98
  • win2k
  • winxp
  • winnt
  • win2000
  • qaz
  • asd
  • zxc
  • qwe
  • bob
  • jen
  • joe
  • fred
  • bill
  • mike
  • john
  • peter
  • luke
  • sam
  • sue
  • susan
  • peter
  • brian
  • lee
  • neil
  • ian
  • chris
  • eric
  • george
  • kate
  • bob
  • katie
  • mary
  • login
  • loginpass
  • technical
  • backup
  • exchange
  • fuck
  • bitch
  • slut
  • sex
  • god
  • hell
  • hello
  • domain
  • domainpass
  • domainpassword
  • database
  • access
  • dbpass
  • dbpassword
  • databasepass
  • data
  • databasepassword
  • db1
  • db2
  • db1234
  • sa
  • sql
  • sqlpassoainstall
  • orainstall
  • oracle
  • ibm
  • cisco
  • dell
  • compaq
  • siemens
  • hp
  • nokia
  • xp
  • control
  • office
  • blank
  • winpass
  • main
  • lan
  • internet
  • intranet
  • student
  • teacher
  • staff
  
  
• Exploits the following Windows vulnerabilities to propagate across networks:
  
  
  • Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability
  • Microsoft Remote Procedure Call (RPC) Distrubuted Component Object Model (DCOM) Vulnerability
  
  
  Backdoor and/or Trojan Behavior
  
  
• Modifies the following value to enable the DCOM service in Windows 2K/XP:

  HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
    EnableDCOM = "Y"

• Modifies the following value to allow IPC$ connecting in Win2K/XP:

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    restrictanonymous = 0

• Connects to the IRC Server fuck.x1secure.com, possibly allowing remote attacks.
  
  
• Registers itself as the service *wuauclt.