Virus

W32/RBot.GR!worm

Analysis

Specifics
This 32-bit Internet worm contains code to perform several functions, and to compromise systems using several methods.
This is a list of the programmed capabilities of this threat -

  • HTTPD server
  • TFTP server
  • Socks4 proxy
  • Counterstrike Retail" registry CD key extraction
  • Steal "Winlogon" credentials
  • Add network connections using import "WNetAddConnection"
  • Add, list or delete network shares
  • Connect with websites
  • Steal Clipboard data
  • Receive and initiate remote shell request from a malicious user
  • Connect with an IRC server to await instructions from a malicious user
  • Flush ARP & DNS cache data
  • Capture webcam video
  • Perform DDoS attacks using SYN, TCP, PING, UDP & ICMP
  • Activate key logging
  • Initiate a "Carnivore" packet sniffer thread - it is similar only by name to the actual "Carnivore" tool created for the Federal Bureau of Investigations
  • Spread to other systems using various vulnerabilities

Vulnerabilities Used to Compromise a Target
This threat uses several known vulnerabilities to compromise and infect a target system -
  • WebDAV exploit
  • RPC exploit
  • C$, IPC$ shares, weak password configurations
  • SQL servers using a default installation
  • Dameware remote control server overflow exploit

IRC Connection
If this threat is run, it will copy itself to the System32 folder. It will then run a DNS query for an IRC server named 'leechurs.ath.cx' to obtain the IP address. Next, the threat will connect to that IP address (currently 10.0.1.128) using TCP port 6667 and await instructions from a malicious user.
Miscellaneous
This threat contains these strings which don't appear to ever be displayed -
ver1.5
rxBot v0.6.5 pk-LSDigital spreader

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, block external to internal access using TCP ports 6667, 137, 139, 1433, 1434 and 445