W32/Rbot-IA is a network worm with backdoor capabilities.
W32/Rbot-IA connects to an IRC server and awaits commands from a remote attacker.
W32/Rbot-IA spreads by exploiting the Universal PNP (MS01-059), WebDav (MS03-007), RPC/DCOM (MS03-026, MS04-012), LSASS (MS04-011) and DameWare (CAN-2003-1030) vulnerabilities.
W32/Rbot-IA is a network worm with IRC backdoor functionality.
In order to run automatically when Windows starts up the worm copies itself to the file winxp43.exe in the Windows system folder.
Once installed, W32/Rbot-IA connects to a preconfigured IRC server, joins a channel and awaits further instructions. These instructions can cause the bot to perform any of the following actions:
flood a specified host with UDP, TCP, SYN, ICMP or ping packets
start a webserver offering the contents of the local drive
start a socks4 proxy server
redirect TCP connections
start a TFTP server
start a command shell server
search for product keys
download and install an updated version of itself
show statistics about the infected system
kill antivirus and security processes
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable machines
start a keylogger
close down vulnerable services in order to secure the machine
The worm spreads to machines affected by known vulnerabilities, running the network services protected by weak passwords or infected by common backdoor Trojans.
Vulnerabilities:
Universal PNP (MS01-059)
WebDav (MS03-007)
RPC DCOM (MS03-026, MS04-012)
LSASS (MS04-011)
DameWare (CAN-2003-1030)
Services:
NetBios
NTPass
MS SQL
Backdoors:
Troj/Kuang
Troj/Optix
Troj/NetDevil
W32/Bagle
Troj/Sub7
W32/Rbot-IA creates or modifies the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Machine = "winxp43.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Machine = "winxp43.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Machine = "winxp43.exe"
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous = 00000001
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 00000001
The worm terminates the following processes
regedit.exe
msconfig.exe
netstat.exe
msblast.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
wincfg32.exetaskmon.exe (sic)
PandaAVEngine.exe
sysinfo.exe
mscvb32.exe
MSBLAST.exe
teekids.exe
Penis32.exe
bbeagle.exe
SysMonXP.exe
winupd.exe
winsys.exe
ssate.exe
rate.exe
d3dupdate.exe
irun4.exe
i11r54n4.exe
W32/Rbot-IA searches for product keys for the following software:
Counter-Strike (Retail)
The Gladiators
Gunman Chronicles
Half-Life
Industry Giant 2
Legends of Might and Magic
Soldiers of Anarchy
Microsoft Windows
Unreal Tournament 2003
Unreal Tournament 2004
IGI 2: Covert Strike
Freedom Force
Battlefield 1942
Battlefield 1942 (Road to Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Command and Conquer: Generals (Zero Hour)
James Bond 007: Nightfire
Command and Conquer: Generals
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Need for Speed Hot Pursuit 2
Need for Speed: Underground
Shogun: Total War: Warlord Edition
FIFA 2002
FIFA 2003
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Rainbow Six III RavenShield
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
NOX
Chrome
Hidden & Dangerous
Soldier of Fortune II - Double Helix
Neverwinter Nights
Neverwinter Nights (Shadows of Undrentide)
Neverwinter Nights (Hordes of the Underdark)