W32.Worm.Rinbot.BC

Notification Date: April 17, 2007
Notification Version: 1.1
   
Name: W32.Worm.Rinbot.BC
Public disclosure/
In the wild date:		 April 16, 2007
Aliases:

W32/Nirbot.worm!83E1220A (McAfee), Exploit:Win32/Siveras.B (Microsoft), W32/Delbot-AI (Sophos), W32.Rinbot.BC (Symantec), WORM_VANBOT.GC (Trend Micro), Backdoor.Win32.VanBot.bx (F-Secure), Backdoor.Win32.VanBot.bx (Kaspersky)
Risk: Medium
CVE: CVE-2007-1748, CVE-2006-3439, and CVE-2006-2630
Description: IBM X-Force has been monitoring the activity of a new variant in the Rinbot family of malware.  This new variant has been using worm-like propagation techniques exploiting the recently announced Microsoft DNS vulnerability (CVE-2007-1748) and two older vulnerabilities affecting the Microsoft Server Service (CVE-2006-3439) and Symantec software (CVE-2006-2630).

 

ISS Coverage
Product Content Version
Network Sensor 7.0
Proventia A
Proventia IPS (G/GX) prior to Firmware Version 1.2
Server Sensor 7.0		 24.59
Proventia IPS (G/GX) Firmware Version 1.2 or
later
Proventia Multifunction Appliance
Proventia Server (Linux)		 1.98
Proventia Server (Windows) 1.0.x.1990
Proventia Desktop x.x.x.1990
RealSecure Desktop 7.0 EQE
BlackICE PC Protection 3.6 CQE
Enterprise Scanner 1.21 
Internet Scanner 7.2.41
Propagation Techniques ISS Protection Available
remote network exploit  MSRPC_MSDNS_Request_Bo
MSRPC_Srvsvc_Bo 
SymantecAntivirusClientBo
Symantec_Management_Overflow		 April 14, 2007
Aug 8, 2006
Jun 3, 2006
Jun 3, 2006
downloaders (files)

SpawnDropper0 (VPS)
Delbot-AI (PMA sig AV)
Backdoor.Vanbot.AN (deskttop sig AV)

 May 10, 2005
April 17, 2007
April 16, 2007
Detection Techniques ISS Protection Available
 signature AV Delbot-AI (PMA)
Backdoor.Vanbot.AN (desktop)
 April 17, 2007
April 16, 2007

Detailed Description
Affected Platforms: • Microsoft Windows 2000
• Microsoft Windows XP
• Microsoft Windows Server 2003 
Technical Description:

Malcode Installation

Upon execution, the malware will drop a copy of itself to the %System% directory as mdnex.exe.

(Where %System% refers to the Windows system folder. On Windows XP and 2003, the Windows system folder is usually C:\Windows\System32, on Windows 2000 it is usually C:\WINNT\System32)

The malcode will then create the following registry entry so that its dropped copy will be executed upon system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
Microsoft DNSx = “%System%\mdnex.exe"

It will then attempt to download the file radi.exe from www.tgiweb.com (not available as of this time) to the C:\ directory and run it.

To ensure that only one instance of the malcode is running at any given time, it will try to create a mutex named “MSDNSx0” and terminates if it already exists.

 

Propagation

This worm propagates by exploiting the recent Microsoft DNS Server Service vulnerability (CVE-2007-1748), an older Microsoft vulnerability affecting the Microsoft Windows Server Service (CVE-2006-3439/MS06-040), and an older Symantec vulnerability (CVE-2006-2630).

Upon successful exploitation, a copy of the worm will be downloaded to the target system as C:\U.exe.

 

Bot Capability

This worm will attempt to connect to any of these IRC servers on TCP port 8080 and join channel ##DNS:

x.rofflewaffles.us
symantec.has.sand.in.its.vagina
is.wayne.brady.gonna.have.to.chokeabitch.us
x.anti-viral.us

Once the connection is established, the affected system will be able to receive commands from a remote attacker. 

Symptoms:
  • Affected system being controlled by a remote attacker via IRC
  • High bandwidth utilization due to network worm behavior  
Removal instructions:
  1. Terminate the following malcode process:

    mdnex.exe

    Note: Since the malcode also attempts to terminate the task manager, the task manager program (%System%\taskmgr.exe) can be copied to a different filename and then executed. Also, several process management tools are available from the Internet: An example is Process Explorer from Sysinternals: http://www.sysinternals.com/Utilities/ProcessExplorer.html
  2. Delete the following malcode file:

    %System%\mdnex.exe

    (Where %System% refers to the Windows system folder. On Windows XP and 2003, the Windows system folder is usually C:\Windows\System32, on Windows 2000 it is usually C:\WINNT\System32)

References
   

Revision History
1.0 Initial alert.
1.1 Added Symantec info. Fixed a few typos.


About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.