W32/RBot.CY!worm
Analysis
Specifics
This virus is 32-bit with a packed file size of 105,984
bytes. This virus contains code to send itself to others,
and also connect to an IRC server using TCP port 6667.
The virus will auto-run at each Windows startup via
three registry entries -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"Microsoft Update" = wuamgrd.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"Microsoft Update" = wuamgrd.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
"Microsoft Update" = wuamgrd.exe
Target Seek
This virus will begin sending SYN packets to random
IP addresses in hopes of receiving an ACK reply. Systems
which respond become targets for the virus as it attempts
to log onto the responding system using a dictionary
attack of logon id and password. If a system becomes
breached, the virus will copy itself to that system
and remotely execute it as "wuamgrd.exe".
IRC Communique
The virus will connect to the IRC server name "irc.sky.net"
(aka IP address 82.103.128.128) and join the channel
"#rxbotz sirux" and await instructions from
a malicious user. One instruction which initiates scanning
IP addresses is the following -
.advscan dcom135 100 4 6000 -b -r -s
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Block external to internal traffic using TCP ports
135, 445 and 6667
- Block internal to external traffic to IP address 216.234.253.28
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |