TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_RBOT.ABK
Overview
Solution

Malware type: Worm

Aliases: Packed.Win32.NSAnti.r (Kaspersky), W32/Sdbot.worm.gen.h (McAfee), W32.Spybot.Worm (Symantec), TR/Downloader.Gen (Avira), Mal/Packer (Sophos), Backdoor:Win32/Rbot (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

This worm arrives as the file CDACCESS.EXE on affected machines. It spreads by dropping a copy of itself on accessible network shares. If the said shares are inaccessible, it uses a hardcoded list of user names and passwords.

It may also propagate by taking advantage of the following Windows vulnerabiities:

  • Buffer Overflow in SQL Server 2000, which is a vulnerability that allows a low-level user to run, delete, insert or update Web tasks. In turn, an attacker who is able to authenticate to a SQL server may do the same actions, and run already created Web tasks in the context of the creator of that task. More information on this vulnerability is found in Microsoft Security Bulletin MS02-061.

  • The RPC/DCOM vulnerability, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026.

  • The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Bulletin MS04-011 and Trend Micro's Vulnerability Description for MS04-011.

It uses IRC port 6667 to connect to an IRC server, where it listens for commands from a remote malicious user. The said commands are executed locally on affected machines. It steals the Microsoft product ID as well as CD keys of popular games.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Nov. 23, 2004 10:49:16 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.