W32/RBot.ADF!tr.bdr
Analysis
- Creates a mutex named [Ruff] to ensure that only one instance is executed on the computer.
- Copies itself to the System folder as WinUpdate.exe.
Autostart Mechanism
- Adds the following registry entry:
IE6 = "WinUpdate.exe"
to the following registry subkeys:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\OLE
Network Propagation
- Spreads via network shares. If these shared folders are restricted access rights, it uses the following hardcoded list of common user names and passwords:
User Names:
- administrator
- administrador
- administrateur
- administrat
- admins
- admin
- staff
- root
- computer
- owner
- student
- teacher
- wwwadmin
- guest
- default
- database
- dba
- oracle
- db2
Passwords:
- password1
- password
- passwd
- pass1234
- pass
- pwd
- 007
- 1
- 12
- 123
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234567890
- 2000
- 2001
- 2002
- 2003
- 2004
- test
- guest
- none
- demo
- unix
- linux
- changeme
- default
- system
- server
- root
- null
- qwerty
- outlook
- web
- www
- internet
- accounts
- accounting
- home
- homeuser
- user
- oem
- oemuser
- oeminstall
- windows
- win98
- win2k
- winxp
- winnt
- win2000
:
:
- Propagates by exploiting the following vulnerabilities:
- Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability
- Microsoft Remote Procedure Call (RPC) Distrubuted Component Object Model (DCOM) Vulnerability
- Microsoft ASN.1 Library Vulnerability
Backdoor and/or Trojan Behavior
- Modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableDCOM = "N" (The default value is "Y")
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = dword:1 - Attempts to terminate processes whose names contain one of the following strings:
- ACKWIN32.EXE
- ADAWARE.EXE
- ADVXDWIN.EXE
- AGENTSVR.EXE
- AGENTW.EXE
- ALERTSVC.EXE
- ALEVIR.EXE
- ALOGSERV.EXE
- AMON9X.EXE
- ANTI-TROJAN.EXE
- ANTIVIRUS.EXE
- ANTS.EXE
- APIMONITOR.EXE
- APLICA32.EXE
- APVXDWIN.EXE
- ARR.EXE
- ATCON.EXE
- ATGUARD.EXE
- ATRO55EN.EXE
- ATUPDATER.EXE
- ATWATCH.EXE
- AU.EXE
- AUPDATE.EXE
- AUTODOWN.EXE
- AUTO-PROTECT.NAV80TRY.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- AVCONSOL.EXE
- AVE32.EXE
- AVGCC32.EXE
- AVGCTRL.EXE
- AVGNT.EXE
- AVGSERV.EXE
- AVGSERV9.EXE
- AVGUARD.EXE
- AVGW.EXE
- AVKPOP.EXE
- AVKSERV.EXE
- AVKSERVICE.EXE
- AVKWCTl9.EXE
- AVLTMAIN.EXE
- AVNT.EXE
- AVP.EXE
- AVP32.EXE
- AVPCC.EXE
- AVPDOS32.EXE
- AVPM.EXE
- AVPTC32.EXE
- AVPUPD.EXE
- AVSCHED32.EXE
- AVSYNMGR.EXE
- AVWINNT.EXE
- AVWUPD.EXE
- AVWUPD32.EXE
- AVWUPSRV.EXE
- AVXMONITOR9X.EXE
- AVXMONITORNT.EXE
- AVXQUAR.EXE
- BACKWEB.EXE
- BARGAINS.EXE
- BD_PROFESSIONAL.EXE
- BEAGLE.EXE
- BELT.EXE
- BIDEF.EXE
- BIDSERVER.EXE
- BIPCP.EXE
- BIPCPEVALSETUP.EXE
- BISP.EXE
- BLACKD.EXE
- BLACKICE.EXE
- BLSS.EXE
- BOOTCONF.EXE
- BOOTWARN.EXE
- BORG2.EXE
- BPC.EXE
- BRASIL.EXE
- BS120.EXE
- BUNDLE.EXE
- BVT.EXE
- CCAPP.EXE
- CCEVTMGR.EXE
- CCPXYSVC.EXE
- CDP.EXE
- CFD.EXE
- CFGWIZ.EXE
- CFIADMIN.EXE
- CFIAUDIT.EXE
- CFINET.EXE
- CFINET32.EXE
- CLAW95CF.EXE
- CLEAN.EXE
- CLEANER.EXE
- CLEANER3.EXE
- CLEANPC.EXE
- CLICK.EXE
- CMD.EXE
:
:
- Connects to an IRC server to await instructions and commands from a malicious user. These commands can cause the infected machine to perform any of the following actions:
- Perform basic IRC commands
- Download and execute files
- Flush DNS Cache
- Scan for vulnerable computers
- Send confidential information, such as the user name, passwords, etc., to the remote intruder
- Start proxy server for HTTP, SOCKS4
- List and terminate services and processes
- Initiate distributed denial of service (DDoS) attacks
- Log keystrokes
Recommended Action
-
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Patch
- Download and install the following patches:
- Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
- Microsoft Remote Procedure Call (RPC) Distrubuted Component Object Model (DCOM) Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
- Microsoft ASN.1 Library Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2024-04-10 | 92.03247 | |
2021-11-23 | 89.07133 | |
2021-05-12 | 86.00112 | |
2020-01-23 | 74.74100 | Sig Updated |
2019-05-21 | 68.68100 | Sig Updated |
2019-05-14 | 68.51300 | Sig Updated |
2019-04-23 | 68.00300 | Sig Updated |
2019-04-23 | 68.00200 | Sig Updated |
2019-04-13 | 67.77100 | Sig Updated |
2018-12-11 | 64.82100 | Sig Updated |