McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Rbot-GR (Sophos)

Characteristics

This threat has been deemed low-profiled due to media attention at:

• http://msnbc.msn.com/id/5799432/

Proactive Detection
McAfee products running the 4354 DATs (release date April 28th 2004) or greater proactively detect this threat as W32/Sdbot.worm.gen.g (with scanning of compressed files enabled - default setting).

There are numerous worms in this family. For a general description, please see the W32/Sdbot.worm description. Details specific to this threat are given below.

This threat bears the following characteristics:

• serves as a trojan backdoor on the victim machine, getting remote commands via its connection to a remote IRC server. Backdoor functionality includes:
  • participate in distributed denial of service attack (DDoS).
  • file download/upload/execution
  • manipulate processes (list, kill)
  • relay SMTP traffic
  • provide HTTP server
  • provide TFTP file server
  • log keystrokes on the victim machine
  • shut down machine
• propagates to machines over the network through several mechanisms:
  • copying itself to poorly secured shares (weak usernames/passwords)
  • copying itself to poorly secured MSSQL servers (again weak username/password combinations)
  • exploiting several Microsoft vulnerabilities
    • WebDAV (MS03-007)
    • DComRPC (MS03-026)
    • UPNP (MS03-049)
  • exploiting the backdoors of other malware
    • W32/Bagle
    • W32/Mydoom
    • BackDoor-RS
    • W32/Kuang
• attempts to steal data (eg. registration keys) associated with various computer games.

Symptoms

General symptoms will vary as with any other malware that provides remote access to the victim machine. Typically the following factors may indicate infection with an IRC bot:

• unexpected outgoing IRC traffic (TCP, typically destination port 6667, 6767, or 8080)
• unexpected existence of FTP server or HTTP server on the machine (not necessarily using 'standard' ports)
• unusually high network traffic (this may indicate machine is participating in DDoS attack
• unexpected services installed and running on the victim machine

When executed, this variant installs itself as SYSTEMC32.EXE on the victim machine, within the Windows system folder, for example:

• C:\WINDOWS\SYSTEM32\SYSTEMC32.EXE

The following Registry keys are added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run "Microsoft Updates"  = SYSTEMC32.EXE
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Microsoft Updates"  = SYSTEMC32.EXE
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "Microsoft Updates"  = SYSTEMC32.EXE

Method of Infection

This worm spreads by exploiting various vulnerability of Microsoft windows and backdoors opened by some worms. There are many members of this family - for a general description, please see the W32/Sdbot.worm description.

Removal

All Users:
Use specified engine and DAT files for detection. The 4.2.40 engine can complete repair without reboot, but older engines require a reboot for repair to complete.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and DAT combination (or higher), older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Rbot-GR (Sophos)

Characteristics

Characteristics -

This threat has been deemed low-profiled due to media attention at:

• http://msnbc.msn.com/id/5799432/

Proactive Detection
McAfee products running the 4354 DATs (release date April 28th 2004) or greater proactively detect this threat as W32/Sdbot.worm.gen.g (with scanning of compressed files enabled - default setting).

There are numerous worms in this family. For a general description, please see the W32/Sdbot.worm description. Details specific to this threat are given below.

This threat bears the following characteristics:

• serves as a trojan backdoor on the victim machine, getting remote commands via its connection to a remote IRC server. Backdoor functionality includes:
  • participate in distributed denial of service attack (DDoS).
  • file download/upload/execution
  • manipulate processes (list, kill)
  • relay SMTP traffic
  • provide HTTP server
  • provide TFTP file server
  • log keystrokes on the victim machine
  • shut down machine
• propagates to machines over the network through several mechanisms:
  • copying itself to poorly secured shares (weak usernames/passwords)
  • copying itself to poorly secured MSSQL servers (again weak username/password combinations)
  • exploiting several Microsoft vulnerabilities
    • WebDAV (MS03-007)
    • DComRPC (MS03-026)
    • UPNP (MS03-049)
  • exploiting the backdoors of other malware
    • W32/Bagle
    • W32/Mydoom
    • BackDoor-RS
    • W32/Kuang
• attempts to steal data (eg. registration keys) associated with various computer games.

Symptoms

Symptoms -

General symptoms will vary as with any other malware that provides remote access to the victim machine. Typically the following factors may indicate infection with an IRC bot:

• unexpected outgoing IRC traffic (TCP, typically destination port 6667, 6767, or 8080)
• unexpected existence of FTP server or HTTP server on the machine (not necessarily using 'standard' ports)
• unusually high network traffic (this may indicate machine is participating in DDoS attack
• unexpected services installed and running on the victim machine

When executed, this variant installs itself as SYSTEMC32.EXE on the victim machine, within the Windows system folder, for example:

• C:\WINDOWS\SYSTEM32\SYSTEMC32.EXE

The following Registry keys are added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run "Microsoft Updates"  = SYSTEMC32.EXE
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Microsoft Updates"  = SYSTEMC32.EXE
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "Microsoft Updates"  = SYSTEMC32.EXE

Method of Infection

Method of Infection -

This worm spreads by exploiting various vulnerability of Microsoft windows and backdoors opened by some worms. There are many members of this family - for a general description, please see the W32/Sdbot.worm description.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection. The 4.2.40 engine can complete repair without reboot, but older engines require a reboot for repair to complete.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and DAT combination (or higher), older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A