Content

W32/Raleka.worm

Type
Virus
SubType
Internet Worm
Discovery Date
08/26/2003
Length
14880 bytes
Minimum DAT
4289 (08/27/2003)
Updated DAT
4326 (02/18/2004)
Minimum Engine
5.1.00
Description Added
08/26/2003
Description Modified
08/29/2003 1:22 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update August 28, 2003 --

A new variant of the W32/Raleka.worm has been discovered on 28th August 2003. This variant is detected by 4288DATs or higher as Exploit-DcomRpc. 4290DATs will identify this variant as W32/Raleka.worm.b.

This threat was proactively detected as a variant of Exploit-DcomRpc with the 4288 DAT files and the 4.2.40 or higher scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default). 

This is a detection for a new worm exploiting the 'Windows RPC Service' vulnerability (MS03-026 patch ) . When the worm is executed, it tries to download additional files from the IP address 212.59.199.45, installs a backdoor and starts scanning random IP ranges for unprotected machines.

When the worm finds an unpatched system, it creates a 7bit encoded file called DOWN.COM (8954 bytes) on the victim machine and executes it with IP address and a port number of the attacking host. The file will uses the Internet Explorer to download additional files from the attacking host, rather than downloading it from the IP address mentioned above.

The files are downloaded to the SYSTEM folder:

NTROOTKIT.EXE (128000 bytes) Backdoor Trojan
NTROOTKIT.REG  (245 bytes) Backdoor Trojan Regfile
SERVICE.EXE (27136 bytes) Application to install Services
SVCHOST32.EXE  (14880 bytes) The worm itself
SVCHOST.CMD (132 bytes)  Batchfile

The NTROOTKIT files are downloaded to the Windows System directory and are detected as "NTRootKit-E" with 4289 DATs or later.

After the download, the worm tries to override the SVCHOST.EXE in the SYSTEM folder with a copy of itself and executes it.

The worm uses its own IRC engine to connect to the following IRC Servers:

  • irc.servercentral.net
  • irc.secsup.org
  • irc.nac.net
  • irc.mpls.ca
  • irc.mindspring.com
  • irc.limelight.com
  • irc.limelight.us
  • irc.isprime.com
  • irc.isdnet.fr
  • irc.hanetele.no
  • irc.red-latina.org
  • irc.ultra-irc.net
  • irc.ircsoulz.net

After the worm infected a vulnerable host, the IP address of the victim machine is written to a file called "RPCSS.INI" within the Windows System directory on the attacking machine.

Symptoms

  • Network Traffic to 212.59.199.45 and IRC.IRCSOULZ.NET
  • Existance of files mentioned above.

    • Method of Infection

    This worm spreads by exploiting a vulnerability in Microsoft Windows. It scans randomly generated IP addresses (port 135 TCP) for target machines.

    Irrespective of anti-virus detection, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine.

    By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, which will prevent the buffer overflow attack. It is very important that the machine be rebooted after the patch has been installed.

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Aliases

    • W32.HLLW.Raleka
    • Worm.Win32.Raleka

    Characteristics

    Characteristics -

    -- Update August 28, 2003 --

    A new variant of the W32/Raleka.worm has been discovered on 28th August 2003. This variant is detected by 4288DATs or higher as Exploit-DcomRpc. 4290DATs will identify this variant as W32/Raleka.worm.b.

    This threat was proactively detected as a variant of Exploit-DcomRpc with the 4288 DAT files and the 4.2.40 or higher scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default). 

    This is a detection for a new worm exploiting the 'Windows RPC Service' vulnerability (MS03-026 patch ) . When the worm is executed, it tries to download additional files from the IP address 212.59.199.45, installs a backdoor and starts scanning random IP ranges for unprotected machines.

    When the worm finds an unpatched system, it creates a 7bit encoded file called DOWN.COM (8954 bytes) on the victim machine and executes it with IP address and a port number of the attacking host. The file will uses the Internet Explorer to download additional files from the attacking host, rather than downloading it from the IP address mentioned above.

    The files are downloaded to the SYSTEM folder:

    NTROOTKIT.EXE (128000 bytes) Backdoor Trojan
    NTROOTKIT.REG  (245 bytes) Backdoor Trojan Regfile
    SERVICE.EXE (27136 bytes) Application to install Services
    SVCHOST32.EXE  (14880 bytes) The worm itself
    SVCHOST.CMD (132 bytes)  Batchfile

    The NTROOTKIT files are downloaded to the Windows System directory and are detected as "NTRootKit-E" with 4289 DATs or later.

    After the download, the worm tries to override the SVCHOST.EXE in the SYSTEM folder with a copy of itself and executes it.

    The worm uses its own IRC engine to connect to the following IRC Servers:

    • irc.servercentral.net
    • irc.secsup.org
    • irc.nac.net
    • irc.mpls.ca
    • irc.mindspring.com
    • irc.limelight.com
    • irc.limelight.us
    • irc.isprime.com
    • irc.isdnet.fr
    • irc.hanetele.no
    • irc.red-latina.org
    • irc.ultra-irc.net
    • irc.ircsoulz.net

    After the worm infected a vulnerable host, the IP address of the victim machine is written to a file called "RPCSS.INI" within the Windows System directory on the attacking machine.

    Symptoms

    Symptoms -

  • Network Traffic to 212.59.199.45 and IRC.IRCSOULZ.NET
  • Existance of files mentioned above.

    • Method of Infection

    Method of Infection -

    This worm spreads by exploiting a vulnerability in Microsoft Windows. It scans randomly generated IP addresses (port 135 TCP) for target machines.

    Irrespective of anti-virus detection, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine.

    By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, which will prevent the buffer overflow attack. It is very important that the machine be rebooted after the patch has been installed.

    Removal -

    Removal -

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A