Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


MS04-011: RBOT.CC worm (attacks in multiple ways)

  • Please log in to reply
No replies to this topic

#1 harrywaldron


    Security Reporter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:08:54 AM

Posted 22 June 2004 - 02:12 PM

The Interent Storm Center highlights this new MS04-011 blended threat that attacks vulnerable systems in a number of ways. So far, this is low risk as it is not found in the wild, but is highlighted for it's potential capabilities.

Internet Storm Center: RBOT.CC worm

This worm vociferously scans for TCP port 445, and then tries to break in via RPC DCOM flaws (a la Blaster), IIS5/WebDAV flaws (a la Nachi/Welchia), and LSASS vulnerabilties (a la Sasser). When it infects a system, Rbot.cc runs a process called systemse.exe that starts at boot time. Be on the lookout for it in your environment.

MS04-011: RBOT.CC worm (attacks in multiple ways)

A summary of key attack methods include:

Unpatched Microsoft Systems lacking the following updates:


Network Propagation and Exploits

This worm spreads through network shares. It uses NetBEUI functions to gather cached passwords of the currently logged user. It then uses the gathered passwords to log on to accessible network shares, where it will drop and execute a copy of itself. If this fails, the worm may also use a hardcoded list of passwords.

Backdoor capabilities on Infected Systems

This worm has a built-in IRC (Internet Chat Relay) client engine, which enables it to connect to an IRC channel. It connects via port 6667 and awaits commands from a remote user. At this point, the worm becomes an IRC bot, functioning as an automated software program that can execute certain commands when it receives a specific input. These commands include:

* Download an update version of itself
* Disable network shares
* Download and Execute a file
* Launch a SYN and ICMP flood attack
* List and terminate services and processes
* Open and execute a file
* Perform several IRC-related functions
* Redirect connections
* Visit a particular Web site
* Denial of Service
* This worm steals CD keys for several games
* Steal system information, such as: CPU speed, Currently logged-in user, Free/Total RAM, Malware uptime, Windows version and build

DDOS capabilities against targeted websites

This worm also has the capability to perform a Distributed Denial of Service (DDoS) attack against a target site by using the following methods:

* Ping flood
* SYN flood
* UPD flood
* Information Theft

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users