WORM_RBOT.ABH - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_RBOT.ABH

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Backdoor.Win32.Rbot.azq (Kaspersky), W32/Sdbot.worm.gen.n (McAfee), W32.Spybot.Worm (Symantec), Worm/Rbot.203264.3 (Avira), Mal/Generic-A (Sophos), Backdoor:Win32/Rbot (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		Low

Description:

This worm arrives as the file RSVC32.EXE. It saves itself in the Windows system folder of affected machines.

It spreads by dropping a copy of itself on accessible network shares. If these shares or folders are not accessible, it uses a list of user names and passwords, which are found in its code, to gain access and perform its propagation routine.

This worm may also spread by taking advantage of the following vulnerabilities found on target machines:

Buffer Overflow in SQL Server 2000, which is a vulnerability that allows a low-level user to run, delete, insert or update Web tasks. In turn, an attacker who is able to authenticate to a SQL server may do the same actions, and run already created Web tasks in the context of the creator of that task. More information on this vulnerability is found in Microsoft Security Bulletin MS02-061.
The RPC/DCOM vulnerability, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026.
The IIS/WebDAV vulnerability, which enables arbitrary codes to execute on the WebDAV server by also sending a malformed request packet. This exploit is a service related to the HTTP on port 80. More information about this vulnerability is found in Microsoft Security Bulletin MS03-007.
The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Bulletin MS04-011 and Trend Micro's Vulnerability Description for MS04-011.

Furthermore, it may take advantage of the Dameware application as well as the backdoor capabilities of the following malware:

This worm uses a normal IRC port 6667 to connect to an IRC server, where it listens for commands from a remote malicious user. These commands are executed locally on affected machines. It also steals Microsoft product ID as well as CD keys of popular games.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Nov. 21, 2004 9:12:32 AM GMT -0800
Description updated: Nov. 27, 2004 9:54:05 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.