[virusinfo] W32/Rbot-AAC

From: "Mike" <mikebike@xxxxxxxxx>
To: virusinfo@xxxxxxxxxxxxx
Date: Wed, 06 Apr 2005 09:10:01 -0700
From; Sophos Alert System:

Name: W32/Rbot-AAC
Type: Win32 worm
Date: 6 April 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2005 (3.93) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.


Information about W32/Rbot-AAC can be found at:
http://www.sophos.com/virusinfo/analyses/w32rbotaac.html

W32/Rbot-AAC is a network worm which attempts to spread via network shares. The 
worm contains backdoor functions that allows unauthorised remote access to the 
infected computer via IRC channels while running in the background. 
The worm spreads to network shares with weak passwords and also by using the 
RPC-DCOM security exploit (MS03-039). 
When run W32/Rbot-AAC moves itself to the Windows System folder as a hidden, 
read-only, system file named msnmsgs.exe. The worm then copies itself to the 
following filenames: 
C:\eminem vs 2pac.scr
C:\funny pic.scr
C:\photo album.scr 
The above 3 files have their read-only, hidden, system and archive file 
attributes set. 
W32/Rbot-AAC then creates the following registry entries so as to run itself on 
computer logon: 
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
MSN MESSENGER
msnmsgs.exe 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MSN MESSENGER
msnmsgs.exe 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe 
The worm also creates the following registry entries: 
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe 
HKCU\Software\Microsoft\Ole
MSN MESSENGER
msnmsgs.exe 
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe 
HKLM\SOFTWARE\Microsoft\Ole
MSN MESSENGER
msnmsgs.exe 
The worm changes the following registry entry as follows: 
from:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
Y 
to:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N 
from:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
dword:00000000 
to:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
dword:00000001 
Once installed, W32/Rbot-AAC will attempt to perform the following actions when 
instructed to do so by a remote attacker: 
scan ports
create an HTTPD server
create a SOCKS4 server
participate in distributed denial of service (DDoS) attacks
download and run files from the Internet
log keystrokes to the file %SYSTEM%\keys.txt
capture clipboard information
terminates anti-virus, security and Windows applications and processes 
The worm also prevents accesses to anti-virus and security related websites by 
appending the HOSTS file in the %SYSTEM%\drivers\etc folder with the following 
mappings: 
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com 

This IDE file also includes detection for:

Troj/Banker-MA
http://www.sophos.com/virusinfo/analyses/trojbankerma.html
Troj/Bancos-BZ
http://www.sophos.com/virusinfo/analyses/trojbancosbz.html
Troj/StartPa-FO
http://www.sophos.com/virusinfo/analyses/trojstartpafo.html
Troj/Bancos-CA
http://www.sophos.com/virusinfo/analyses/trojbancosca.html
W32/Rbot-AAB
http://www.sophos.com/virusinfo/analyses/w32rbotaab.html
Troj/Dloader-LB
http://www.sophos.com/virusinfo/analyses/trojdloaderlb.html
Troj/Mirchack-F
http://www.sophos.com/virusinfo/analyses/trojmirchackf.html
Troj/Haxdor-Gen
http://www.sophos.com/virusinfo/analyses/trojhaxdorgen.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/rbot-aac.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member
[virusinfo] W32/Rbot-AAC

Other related posts:
