Virus

W32/RBot.D!worm

Analysis

Specifics
W32/Rbot.D-net is a 32-bit PE executable worm with a size of 33,824 bytes. This worm has an icon similar to Windows Update file "wupdmgr.exe" in Windows XP. If the filename of the worm is "svshost.exe", no file is dropped upon execution. If the filename of the worm is not "svshost.exe", it drops a copy of itself in the undefinedSystemundefined directory as "svshost.exe" upon execution. This worm is capable of connecting to a remote IRC server for malicious purposes from an infected system. It may attempt to spread by taking advantage of a known RPC DCOM vulnerability in unpatched Windows systems.
Loading At Windows Startup
The worm modifies the registry to run at each Windows startup. If the filename of the worm is "svshost.exe", the registry is modified as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
DLL Service Manager = "[path where worm is executed]\svshost.exe"
If the filename of the worm is not "svshost.exe", then the registry is modified as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
DLL Service Manager = "undefinedSystemundefined\svshost.exe"
This worm creates a mutex "mutexxz" to indicate its presence in the system.

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Ensure systems are updated with the latest Microsoft security patches, specifically the update that addresses the RPC DCOM vulnerability. The patch and security bulletin on this vulnerability can be found at: http://www.microsoft.com/technet/security/bulletin/MS03-039.asp