Content

W32/RAHack!7efec6d0

Type
Virus
SubType
Internet Worm
Discovery Date
11/04/2006
Length
50,176 bytes
Minimum DAT
4889 (11/06/2006)
Updated DAT
N/A ( )
Minimum Engine
5.1.00
Description Added
11/29/2006
Description Modified
11/29/2006 12:35 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This worm attempts to exploit RemoteAdmin installations along with Windows vulnerabilities, copying itself as irdvxc.exe to vulnerable machines.  The virus attempts to make a connection using a succession of username / password combinations to connect to RemoteAdmin servers.  It also scans systems for the DCOM RPC vulnerability.

Symptoms

When run, this worm creates random CLSID entries, as follows:

  • HKEY_CLASSES_ROOT\CLSID\{%Random CLSID%}\
    LocalServer32 = %TrojanEXEPath%
  • HKEY_CLASSES_ROOT\CLSID\{%Random CLSID%} "(Default)" = %Random Data%

It also opens port 9988, 445 and 135 to connect to vulnerable systems.

It checks the following list of Usernames and Passwords to connect to poorly administered shares or RemoteAdmin servers:

  • Administrator
  • Admin
  • www
  • windows
  • visitor
  • test2
  • password
  • test1
  • test
  • temp
  • telnet
  • ruler
  • remote
  • real
  • random
  • qwerty
  • public
  • private
  • poiuytre
  • passwd
  • pass
  • oracle
  • nopass
  • nobody
  • nick
  • newpass
  • new
  • network
  • monitor
  • money
  • manager
  • mail
  • login
  • internet
  • install
  • hello
  • guest
  • goX
  • demo
  • default
  • debug
  • database
  • crew
  • computer
  • coffee
  • bin
  • beta
  • backup
  • backdoor
  • anonymous
  • anon
  • alpha
  • adm
  • access
  • abc123
  • system
  • sys
  • super
  • sql
  • sh**(* replaces actual content)
  • shadow
  • setup
  • security
  • secure
  • secret
  • 123456789
  • 12345678
  • 1234567
  • 123456
  • 12345
  • 1234
  • 123
  • 121
  • 00000000
  • 0000000
  • 000000
  • 00000
  • 0000
  • 000
  • 00
  • server
  • asdfgh
  • root

Method of Infection

This worm spreads through poorly administered RemoteAdmin servers and the DCOM RPC vulnerability.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/RAHack!7efec6d0 is a virus that attempts to spread by guessing username and password combinations on poorly-administered RemoteAdmin installations, as well as through the  DCOM RPC vulnerability.

Aliases

  • Backdoor.Win32.Rbot.bni (Kaspersky)
  • IRC/BackDoor.SdBot2.KWD (Grisoft)
  • Trj/Agent.DBF (Panda)
  • W32.Rahack.H (Symantec)
  • W32/Rbot-FVL (Sophos)
  • W32/RBot.BNI!tr.bdr (Fortinet)
  • W32/Spybot.BAYA (Norman)
  • W32/Trojan.MEX (F-Prot)
  • Win32/Rahack.6fi!Trojan (CA)
  • WORM_RBOT.ERX (Trend)

Characteristics

Characteristics -

This worm attempts to exploit RemoteAdmin installations along with Windows vulnerabilities, copying itself as irdvxc.exe to vulnerable machines.  The virus attempts to make a connection using a succession of username / password combinations to connect to RemoteAdmin servers.  It also scans systems for the DCOM RPC vulnerability.

Symptoms

Symptoms -

When run, this worm creates random CLSID entries, as follows:

  • HKEY_CLASSES_ROOT\CLSID\{%Random CLSID%}\
    LocalServer32 = %TrojanEXEPath%
  • HKEY_CLASSES_ROOT\CLSID\{%Random CLSID%} "(Default)" = %Random Data%

It also opens port 9988, 445 and 135 to connect to vulnerable systems.

It checks the following list of Usernames and Passwords to connect to poorly administered shares or RemoteAdmin servers:

  • Administrator
  • Admin
  • www
  • windows
  • visitor
  • test2
  • password
  • test1
  • test
  • temp
  • telnet
  • ruler
  • remote
  • real
  • random
  • qwerty
  • public
  • private
  • poiuytre
  • passwd
  • pass
  • oracle
  • nopass
  • nobody
  • nick
  • newpass
  • new
  • network
  • monitor
  • money
  • manager
  • mail
  • login
  • internet
  • install
  • hello
  • guest
  • goX
  • demo
  • default
  • debug
  • database
  • crew
  • computer
  • coffee
  • bin
  • beta
  • backup
  • backdoor
  • anonymous
  • anon
  • alpha
  • adm
  • access
  • abc123
  • system
  • sys
  • super
  • sql
  • sh**(* replaces actual content)
  • shadow
  • setup
  • security
  • secure
  • secret
  • 123456789
  • 12345678
  • 1234567
  • 123456
  • 12345
  • 1234
  • 123
  • 121
  • 00000000
  • 0000000
  • 000000
  • 00000
  • 0000
  • 000
  • 00
  • server
  • asdfgh
  • root

Method of Infection

Method of Infection -

This worm spreads through poorly administered RemoteAdmin servers and the DCOM RPC vulnerability.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A