 MS04-011: RBOT.CC worm (attacks in multiple ways), stay up-to-date on MS security patches |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.| Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post. - BleepingComputer Management |
  |
  Jun 22 2004, 02:12 PM
Post
#1
|
|
 Security Reporter  Group: News Reporters Posts: 491 Joined: 10-April 04 From: Roanoke, Virginia Member No.: 107  |
Internet Storm Center: RBOT.CC worm http://www.incidents.org/diary.php?date=2004-06-21 This worm vociferously scans for TCP port 445, and then tries to break in via RPC DCOM flaws (a la Blaster), IIS5/WebDAV flaws (a la Nachi/Welchia), and LSASS vulnerabilties (a la Sasser). When it infects a system, Rbot.cc runs a process called systemse.exe that starts at boot time. Be on the lookout for it in your environment. MS04-011: RBOT.CC worm (attacks in multiple ways) http://www.trendmicro.com/vinfo/virusencyc...RBOT.CC&VSect=T A summary of key attack methods include: Unpatched Microsoft Systems lacking the following updates: http://www.microsoft.com/technet/security/...n/MS03-026.mspx http://www.microsoft.com/technet/security/...n/MS03-007.mspx http://www.microsoft.com/technet/security/...n/MS04-011.mspx Network Propagation and Exploits This worm spreads through network shares. It uses NetBEUI functions to gather cached passwords of the currently logged user. It then uses the gathered passwords to log on to accessible network shares, where it will drop and execute a copy of itself. If this fails, the worm may also use a hardcoded list of passwords. Backdoor capabilities on Infected Systems This worm has a built-in IRC (Internet Chat Relay) client engine, which enables it to connect to an IRC channel. It connects via port 6667 and awaits commands from a remote user. At this point, the worm becomes an IRC bot, functioning as an automated software program that can execute certain commands when it receives a specific input. These commands include: * Download an update version of itself * Disable network shares * Download and Execute a file * Launch a SYN and ICMP flood attack * List and terminate services and processes * Open and execute a file * Perform several IRC-related functions * Redirect connections * Visit a particular Web site * Denial of Service * This worm steals CD keys for several games * Steal system information, such as: CPU speed, Currently logged-in user, Free/Total RAM, Malware uptime, Windows version and build DDOS capabilities against targeted websites This worm also has the capability to perform a Distributed Denial of Service (DDoS) attack against a target site by using the following methods: * Ping flood * SYN flood * UPD flood * Information Theft -------------------- |
 |
 
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21st November 2008 - 08:24 PM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.