W32/RBot!tr.bdr!06
Analysis
- Creates a mutex named rx10B to ensure that only one instance of the worm is executed on the computer.
- Copies itself to the System folder as [Random].exe, where [Random] refers to eight lowercase characters.
Autostart Mechanism
- Creates the following value:
AdobeReaderPro = "[Random].exe"
to the following registry subkeys:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Note: [Random] refers to a random combination of eight lowercase characters.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\OLE
Network Propagation
- Spreads via weakly protected network shares, weakly protected Microsoft SQL servers and the following vulnerabilities:
- Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability
- Microsoft Remote Procedure Call (RPC) Distrubuted Component Object Model (DCOM) Vulnerability
- Microsoft Windows Workstation Service Remote Buffer Overflow
Backdoor/Trojan Behavior
- Modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableDCOM = "N" (The default value is "Y")
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = dword:1 - Attempts to terminate processes whose names contain one of the following strings:
- ACKWIN32.EXE
- ADAWARE.EXE
- ADVXDWIN.EXE
- AGENTSVR.EXE
- AGENTW.EXE
- ALERTSVC.EXE
- ALEVIR.EXE
- ALOGSERV.EXE
- AMON9X.EXE
- ANTI-TROJAN.EXE
- ANTIVIRUS.EXE
- ANTS.EXE
- APIMONITOR.EXE
- APLICA32.EXE
- APVXDWIN.EXE
- ARR.EXE
- ATCON.EXE
- ATGUARD.EXE
- ATRO55EN.EXE
- ATUPDATER.EXE
- ATWATCH.EXE
- AU.EXE
- AUPDATE.EXE
- AUTODOWN.EXE
- AUTO-PROTECT.NAV80TRY.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- AVCONSOL.EXE
- AVE32.EXE
- AVGCC32.EXE
- AVGCTRL.EXE
- AVGNT.EXE
- AVGSERV.EXE
- AVGSERV9.EXE
- AVGUARD.EXE
- AVGW.EXE
- AVKPOP.EXE
- AVKSERV.EXE
- AVKSERVICE.EXE
- AVKWCTl9.EXE
- AVLTMAIN.EXE
- AVNT.EXE
- AVP.EXE
- AVP32.EXE
- AVPCC.EXE
- AVPDOS32.EXE
- AVPM.EXE
- AVPTC32.EXE
- AVPUPD.EXE
- AVSCHED32.EXE
- AVSYNMGR.EXE
- AVWINNT.EXE
- AVWUPD.EXE
- AVWUPD32.EXE
- AVWUPSRV.EXE
- AVXMONITOR9X.EXE
- AVXMONITORNT.EXE
- AVXQUAR.EXE
- BACKWEB.EXE
- BARGAINS.EXE
- BD_PROFESSIONAL.EXE
- BEAGLE.EXE
- BELT.EXE
- BIDEF.EXE
- BIDSERVER.EXE
- BIPCP.EXE
- BIPCPEVALSETUP.EXE
- BISP.EXE
- BLACKD.EXE
- BLACKICE.EXE
- BLSS.EXE
- BOOTCONF.EXE
- BOOTWARN.EXE
- BORG2.EXE
- BPC.EXE
- BRASIL.EXE
- BS120.EXE
- BUNDLE.EXE
- BVT.EXE
- CCAPP.EXE
- CCEVTMGR.EXE
- CCPXYSVC.EXE
- CDP.EXE
- CFD.EXE
- CFGWIZ.EXE
- CFIADMIN.EXE
- CFIAUDIT.EXE
- CFINET.EXE
- CFINET32.EXE
- CLAW95CF.EXE
- CLEAN.EXE
- CLEANER.EXE
- CLEANER3.EXE
- CLEANPC.EXE
- CLICK.EXE
- CMD.EXE
:
:
- Connects to an IRC server to await instructions and commands from a malicious user. These commands can cause the infected machine to perform any of the following actions:
- Download and execute files
- Scan for vulnerable computers
- Send confidential information, such as the user name, passwords, etc., to the remote intruder
- Start proxy server for HTTP, SOCKS4
- List and terminate services and processes
- Initiate distributed denial of service (DDoS) attacks
- Logs keystrokes
Recommended Action
-
FortiGate systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Patch
- Download and install the following patches:
- Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
- Microsoft Remote Procedure Call (RPC) Distrubuted Component Object Model (DCOM) Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
- Microsoft Windows Workstation Service Remote Buffer Overflow: http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx