HOME > VIRUS ALERTS


VIRUS ALERTS

Randex/Sdbot/Rbot

Original issue date: September 04, 2006

It has been observed that a worm with backdoor capabilities is circulating in the wild exploiting some common buffer overflow vulnerabilities in Microsoft Windows described in CIAD-2004-05 (ASN.1 Vulnerability Could Allow Code Execution), CIVN-2005-38 (Vulnerability in Message Queuing Could Allow Code Execution), CIVN-2005-73 (Microsoft Plug and Play service Buffer Overflow Vulnerability) and the most recent vulnerability in CIVN-2006-75 (Microsoft Windows Server Service Buffer Overrun Vulnerability). The worm is propagating through network shares by dropping copies of it in shared folders. It opens a backdoor and listens for the remote attacker commands.

Aliases: WORM_RANDEX.AM [Trend], W32/Sdbot.worm!MS06-040 [McAfee], W32/Kassbot-V [Sophos], W32./Vanebot-A [Sophos],
W32/Rbot-FKR [Sophos]

  • Upon execution the worm copies itself as one of the following
    in Windows system folder:
    • javanet.exe
    • msjava.exe
    • xpjavams.exe
    • wunosjava.exe
    • creative.exe
    • netapi.exe
    • msguard.exe
    • javaapplets.exe
    • jconsole.exe
    • winservnt32.exe
  • It may show the following fake error message:
    • Can't run on Window
    • S Error code: (-2394)
    • Error description: LLIBKCUF / File has remove his self.
  • Adds one of the following values:
    • "MS Java for Windows XP & NT" = "javanet.exe"
    • "MS Java for Windows NT" = "msjava.exe"
    • "MS Java Applets for Windows NT, ME & XP" = "japaapplets.exe"
    • "Sun Java Console for Windows NT & XP" = "jconsole.exe"
    to the registry subkeys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\RunServices
  • Adds the value:
    • "JavaNet" = "rBot v2 a.k.a. the next generation (working on winXP SP2)"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows

  • Adds the values:
    • "Shell" = "Explorer.exe javanet.exe"
    • "Userinit" = "%System%\userinit.exe,javanet.exe"
      or
    • "Shell" = "Explorer.exe msjava.exe"
    • "Userinit" = "%System%\userinit.exe,msjava.exe"
      or
    • "Shell" = "Explorer.exe javapllets.exe"
    • "Userinit" = "%System%\userinit.exe,javaapplets.exe"
      or
    • "Shell" = "Explorer.exe jconsole.exe"
    • "Userinit" = "%System%\Userinit.exe,jconsole.exe"
      or
    • "Shell" = "Explorer.exe winservnt.exe"
    • "Userinit" = "%System%\Userinit.exe,winservnt32.exe"

    to the registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • Adds the values:
    • "DoNotAllowXPSP2" = "1"
    • "DoNotAllowXPSP3" = "1" to the registry subkey:
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
      Windows\Windows\Update
  • Adds the value:
    • "MS Update WinServices NT/XP" = "winservnt32.exe" to the registry subkeys:
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
      \CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows
      \CurrentVersion\Run
  • Modifies the value:
    • "EnableDCOM" = "N" in the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    to disable DCOM on the compromised computer.
  • Modifies the value:
    • "Start" = "4" in the registry subkeys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
      \Services\SharedAccess HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\wuauserv
    to prevent certain software from running automatically when Windows starts.
  • The worm opens a backdoor and listens for commands, which may allow a remote attacker to perform some of the following actions on the compromised computer:
    • Download and execute files
    • List, stop, and start processes and threads
    • Launch SYN, UDP and HTTP denial of service attack
    • Open a command shell on the compromised computer
    • Start a SOCKS4 proxy server
    • Log keystrokes

References:

http://www.isc.sans.org/diary.php?storyid=1660&isc=
64e7bb16590c8efaa48544e0b4c73c7a http://www.symantec.com/security_response/writeup.jsp?
docid=2006-081910-4849-99&tabid=2 http://www.symantec.com/enterprise/security_response/
writeup.jsp?docid=2006-083015-4912-99 http://www.sophos.com/security/analyses/w32rbotfkr.html
?_log_from=rss http://www.sophos.com/virusinfo/analyses/w32vanebota.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM_RANDEX.AM
http://vil.nai.com/vil/content/v_140440.htm
http://news.zdnet.com/2100-1009_22-6108409.html

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91 11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003