BleepingComputer.com > MS04-007: RBOT variant

Full Version: MS04-007: RBOT variant - 1st Internet version

BleepingComputer.com > Security > Breaking Virus & Security News

harrywaldron

Jun 6 2005, 03:49 PM

Kaspersky's weblog entry of June 5th entitled "Robots,vile robots everywhere!" is a great read. While this vulnerability is one year old, there might be some folks who have only applied MS04-011 and MS03-026 for XP or 2000 to stop true Sasser and Blaster type worms.

MS04-007: RBOT variant - 1st worm to exploit ASN.1 via Internet
(see June 5th weblog entry)

Investigation of the packets revealed a Microsoft ASN.1 exploit, which tries to download and run an executable from the attacking machine via TFTP. We've secured a binary and took a look under the cover. The responsible worm was a Rbot variant, ...

Besides the ASN.1 exploit - and this is the first worm to use it successfully on the Internet - the Rbot variant uses a multitude of other exploits, DCOM, RPC,Veritas Backup Exec, LSASS, MSSQL, password guessing and so on. It also steals registration keys from a good list of popular games, PayPal accounts logins, has an embedded backdoor and of course, DDoS capabilities.

Basically, it's a worm which tries very hard to spread while at the same time, it tries to steal as many valuable data from the victim machine as it is available. It is a highly infectious worm, written for profit. And yes, most of the other worms we're seeing nowadays are no different.

Spybot.PKC - May be a close example of the new RBOT variant

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.