W32/RBot!tr.bdr!08
Analysis
- Creates a mutex named msdss to ensure that only one instance is executed on the computer.
- Copies itself to the System folder as ms-dos.pif.
Autostart Mechanism
- Adds the following value:
MS-DOS Security Service = "ms-dos.pif"
to the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ole
Network Propagation
- Spreads via weakly protected network shares, weakly protected Microsoft SQL servers and the following vulnerabilities:
- Microsoft Remote Procedure Call (RPC) Distrubuted Component Object Model (DCOM) Vulnerability
- Microsoft Windows Workstation Service Remote Buffer Overflow
- Microsoft ASN.1 Library Vulnerability
- Microsoft Windows Plug and Play Buffer Overflow Vulnerability
Backdoor/Trojan Behavior
- Connects to an IRC server to await instructions and commands from a malicious user. These commands can cause the infected machine to perform any of the following actions:
- Download and execute files
- Scan for vulnerable computers
- Send confidential information, such as the user name, passwords, etc., to the remote intruder
- Start proxy server for HTTP, SOCKS4
- List and terminate services and processes
- Initiate distributed denial of service (DDoS) attacks
- Logs keystrokes
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Patch
- Download and install the following patches:
- Microsoft Remote Procedure Call (RPC) Distrubuted Component Object Model (DCOM) Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
- Microsoft Windows Workstation Service Remote Buffer Overflow: http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
- Microsoft ASN.1 Library Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
- Microsoft Windows Plug and Play Buffer Overflow Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx