ThreatExpert Report: Backdoor.Win32.Rbot.gen, W32.Spybot.Worm, BKDR

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 31 August 2008, 15:02:14
Processing time: 5 min 22 sec
Submitted sample:

File MD5: 0xCA80AF10A4EE1A5209C739784A6F4948
File SHA-1: 0x44CD360107B00BF68C8308D97FA524760BB81DEE
Filesize: 134,144 bytes
Alias:

W32.Spybot.Worm [Symantec]
Backdoor.Win32.Rbot.gen [Kaspersky Lab]
BKDR_RBOT.DZT [Trend Micro]

Summary of the findings:

What's been found	Severity Level
A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
MS04-012: DCOM RPC Overflow exploit - replication across TCP 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC Bots).
MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots).
Communication with a remote IRC server.
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1] %System%\ywgma.exe %System%\yywbl.exe	134,144 bytes	MD5: 0xCA80AF10A4EE1A5209C739784A6F4948 SHA-1: 0x44CD360107B00BF68C8308D97FA524760BB81DEE	W32.Spybot.Worm [Symantec] Backdoor.Win32.Rbot.gen [Kaspersky Lab] BKDR_RBOT.DZT [Trend Micro]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
yywbl.exe	%System%\yywbl.exe	754,563 bytes
ywgma.exe	%System%\ywgma.exe	754,563 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	754,563 bytes

Registry Modifications

The following Registry Key was created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Windows Service Agents = "ywgma.exe"

so that ywgma.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

Windows Service Agents = "ywgma.exe"

so that ywgma.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Windows Service Agents = "ywgma.exe"

so that ywgma.exe runs every time Windows starts

Other details

To mark the presence in the system, the following Mutex object was created:

910860

The following Host Name was requested from a host database:

bader.q8cv.org

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
bader.q8cv.org	32321

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 32321:

00000000 | 4E49 434B 2055 5341 7C58 507C 5350 327C | NICK USA|XP|SP2|
00000010 | 3030 7C34 3038 380D 0A55 5345 5220 6175 | 00|4088..USER au
00000020 | 6171 6520 3020 3020 3A02 0334 436F 6465 | aqe 0 0 :..4Code
00000030 | 4420 0338 4279 2002 1F03 317A 6572 581F | D .8By ...1zerX.
00000040 | 2D02 1F02 5669 7275 730F 0D0A 5553 4552 | -...Virus...USER
00000050 | 484F 5354 2055 5341 7C58 507C 5350 327C | HOST USA|XP|SP2|
00000060 | 3030 7C34 3038 380D 0A4D 4F44 4520 5553 | 00|4088..MODE US
00000070 | 417C 5850 7C53 5032 7C30 307C 3430 3838 | A|XP|SP2|00|4088
00000080 | 202D 782B 690D 0A4A 4F49 4E20 236C 2320 |  -x+i..JOIN #l#
00000090 | 6C34 6D6F 0D0A                          | l4mo..
00000000 | 4E49 434B 2055 5341 7C58 507C 5350 327C | NICK USA|XP|SP2|
00000010 | 3030 7C34 3038 380D 0A55 5345 5220 6175 | 00|4088..USER au
00000020 | 6171 6520 3020 3020 3A02 0334 436F 6465 | aqe 0 0 :..4Code
00000030 | 4420 0338 4279 2002 1F03 317A 6572 581F | D .8By ...1zerX.
00000040 | 2D02 1F02 5669 7275 730F 0D0A 5553 4552 | -...Virus...USER
00000050 | 484F 5354 2055 5341 7C58 507C 5350 327C | HOST USA|XP|SP2|
00000060 | 3030 7C34 3038 380D 0A4D 4F44 4520 5553 | 00|4088..MODE US
00000070 | 417C 5850 7C53 5032 7C30 307C 3430 3838 | A|XP|SP2|00|4088
00000080 | 202D 782B 690D 0A4A 4F49 4E20 236C 2320 |  -x+i..JOIN #l#
00000090 | 6C34 6D6F 0D0A                          | l4mo..
00000000 | 4E49 434B 2055 5341 7C58 507C 5350 327C | NICK USA|XP|SP2|
00000010 | 3030 7C30 3937 380D 0A55 5345 5220 6A6A | 00|0978..USER jj
00000020 | 6D78 6720 3020 3020 3A02 0334 436F 6465 | mxg 0 0 :..4Code
00000030 | 4420 0338 4279 2002 1F03 317A 6572 581F | D .8By ...1zerX.
00000040 | 2D02 1F02 5669 7275 730F 0D0A 5553 4552 | -...Virus...USER
00000050 | 484F 5354 2055 5341 7C58 507C 5350 327C | HOST USA|XP|SP2|
00000060 | 3030 7C30 3937 380D 0A4D 4F44 4520 5553 | 00|0978..MODE US
00000070 | 417C 5850 7C53 5032 7C30 307C 3039 3738 | A|XP|SP2|00|0978
00000080 | 202D 782B 690D 0A4A 4F49 4E20 236C 2320 |  -x+i..JOIN #l#
00000090 | 6C34 6D6F 0D0A                          | l4mo..
00000000 | 4E49 434B 2055 5341 7C58 507C 5350 327C | NICK USA|XP|SP2|
00000010 | 3030 7C33 3735 350D 0A55 5345 5220 6261 | 00|3755..USER ba
00000020 | 6D77 6161 2030 2030 203A 0203 3443 6F64 | mwaa 0 0 :..4Cod
00000030 | 6544 2003 3842 7920 021F 0331 7A65 7258 | eD .8By ...1zerX
00000040 | 1F2D 021F 0256 6972 7573 0F0D 0A55 5345 | .-...Virus...USE
00000050 | 5248 4F53 5420 5553 417C 5850 7C53 5032 | RHOST USA|XP|SP2
00000060 | 7C30 307C 3337 3535 0D0A 4D4F 4445 2055 | |00|3755..MODE U
00000070 | 5341 7C58 507C 5350 327C 3030 7C33 3735 | SA|XP|SP2|00|375
00000080 | 3520 2D78 2B69 0D0A 4A4F 494E 2023 6C23 | 5 -x+i..JOIN #l#
00000090 | 206C 346D 6F0D 0A                       |  l4mo..
00000000 | 4E49 434B 2055 5341 7C58 507C 5350 327C | NICK USA|XP|SP2|
00000010 | 3030 7C39 3531 360D 0A55 5345 5220 697A | 00|9516..USER iz
00000020 | 6861 6573 2030 2030 203A 0203 3443 6F64 | haes 0 0 :..4Cod
00000030 | 6544 2003 3842 7920 021F 0331 7A65 7258 | eD .8By ...1zerX
00000040 | 1F2D 021F 0256 6972 7573 0F0D 0A55 5345 | .-...Virus...USE
00000050 | 5248 4F53 5420 5553 417C 5850 7C53 5032 | RHOST USA|XP|SP2
00000060 | 7C30 307C 3935 3136 0D0A 4D4F 4445 2055 | |00|9516..MODE U
00000070 | 5341 7C58 507C 5350 327C 3030 7C39 3531 | SA|XP|SP2|00|951
00000080 | 3620 2D78 2B69 0D0A 4A4F 494E 2023 6C23 | 6 -x+i..JOIN #l#
00000090 | 206C 346D 6F0D 0A                       |  l4mo..
00000000 | 4E49 434B 2055 5341 7C58 507C 5350 327C | NICK USA|XP|SP2|
00000010 | 3030 7C35 3037 310D 0A55 5345 5220 6578 | 00|5071..USER ex
00000020 | 7A66 6779 2030 2030 203A 0203 3443 6F64 | zfgy 0 0 :..4Cod
00000030 | 6544 2003 3842 7920 021F 0331 7A65 7258 | eD .8By ...1zerX
00000040 | 1F2D 021F 0256 6972 7573 0F0D 0A55 5345 | .-...Virus...USE
00000050 | 5248 4F53 5420 5553 417C 5850 7C53 5032 | RHOST USA|XP|SP2
00000060 | 7C30 307C 3530 3731 0D0A 4D4F 4445 2055 | |00|5071..MODE U
00000070 | 5341 7C58 507C 5350 327C 3030 7C35 3037 | SA|XP|SP2|00|507
00000080 | 3120 2D78 2B69 0D0A 4A4F 494E 2023 6C23 | 1 -x+i..JOIN #l#
00000090 | 206C 346D 6F0D 0A                       |  l4mo..
00000000 | 4E49 434B 2055 5341 7C58 507C 5350 327C | NICK USA|XP|SP2|
00000010 | 3030 7C32 3634 310D 0A55 5345 5220 696E | 00|2641..USER in
00000020 | 6B71 2030 2030 203A 0203 3443 6F64 6544 | kq 0 0 :..4CodeD
00000030 | 2003 3842 7920 021F 0331 7A65 7258 1F2D |  .8By ...1zerX.-
00000040 | 021F 0256 6972 7573 0F0D 0A55 5345 5248 | ...Virus...USERH
00000050 | 4F53 5420 5553 417C 5850 7C53 5032 7C30 | OST USA|XP|SP2|0
00000060 | 307C 3236 3431 0D0A 4D4F 4445 2055 5341 | 0|2641..MODE USA
00000070 | 7C58 507C 5350 327C 3030 7C32 3634 3120 | |XP|SP2|00|2641
00000080 | 2D78 2B69 0D0A 4A4F 494E 2023 6C23 206C | -x+i..JOIN #l# l
00000090 | 346D 6F0D 0A                            | 4mo..
00000000 | 4E49 434B 2055 5341 7C58 507C 5350 327C | NICK USA|XP|SP2|
00000010 | 3030 7C34 3038 380D 0A55 5345 5220 6175 | 00|4088..USER au
00000020 | 6171 6520 3020 3020 3A02 0334 436F 6465 | aqe 0 0 :..4Code
00000030 | 4420 0338 4279 2002 1F03 317A 6572 581F | D .8By ...1zerX.
00000040 | 2D02 1F02 5669 7275 730F 0D0A 5553 4552 | -...Virus...USER
00000050 | 484F 5354 2055 5341 7C58 507C 5350 327C | HOST USA|XP|SP2|
00000060 | 3030 7C34 3038 380D 0A4D 4F44 4520 5553 | 00|4088..MODE US
00000070 | 417C 5850 7C53 5032 7C30 307C 3430 3838 | A|XP|SP2|00|4088
00000080 | 202D 782B 690D 0A4A 4F49 4E20 236C 2320 |  -x+i..JOIN #l#
00000090 | 6C34 6D6F 0D0A                          | l4mo..
00000000 | 4E49 434B 2055 5341 7C58 507C 5350 327C | NICK USA|XP|SP2|
00000010 | 3030 7C35 3037 310D 0A55 5345 5220 6578 | 00|5071..USER ex
00000020 | 7A66 6779 2030 2030 203A 0203 3443 6F64 | zfgy 0 0 :..4Cod
00000030 | 6544 2003 3842 7920 021F 0331 7A65 7258 | eD .8By ...1zerX
00000040 | 1F2D 021F 0256 6972 7573 0F0D 0A55 5345 | .-...Virus...USE
00000050 | 5248 4F53 5420 5553 417C 5850 7C53 5032 | RHOST USA|XP|SP2
00000060 | 7C30 307C 3530 3731 0D0A 4D4F 4445 2055 | |00|5071..MODE U
00000070 | 5341 7C58 507C 5350 327C 3030 7C35 3037 | SA|XP|SP2|00|507
00000080 | 3120 2D78 2B69 0D0A 4A4F 494E 2023 6C23 | 1 -x+i..JOIN #l#
00000090 | 206C 346D 6F0D 0A                       |  l4mo..
00000000 | 4E49 434B 2055 5341 7C58 507C 5350 327C | NICK USA|XP|SP2|
00000010 | 3030 7C33 3735 350D 0A55 5345 5220 6261 | 00|3755..USER ba
00000020 | 6D77 6161 2030 2030 203A 0203 3443 6F64 | mwaa 0 0 :..4Cod
00000030 | 6544 2003 3842 7920 021F 0331 7A65 7258 | eD .8By ...1zerX
00000040 | 1F2D 021F 0256 6972 7573 0F0D 0A55 5345 | .-...Virus...USE
00000050 | 5248 4F53 5420 5553 417C 5850 7C53 5032 | RHOST USA|XP|SP2
00000060 | 7C30 307C 3337 3535 0D0A 4D4F 4445 2055 | |00|3755..MODE U
00000070 | 5341 7C58 507C 5350 327C 3030 7C33 3735 | SA|XP|SP2|00|375
00000080 | 3520 2D78 2B69 0D0A 4A4F 494E 2023 6C23 | 5 -x+i..JOIN #l#
00000090 | 206C 346D 6F0D 0A                       |  l4mo..
00000000 | 4E49 434B 2055 5341 7C58 507C 5350 327C | NICK USA|XP|SP2|
00000010 | 3030 7C39 3531 360D 0A55 5345 5220 697A | 00|9516..USER iz
00000020 | 6861 6573 2030 2030 203A 0203 3443 6F64 | haes 0 0 :..4Cod
00000030 | 6544 2003 3842 7920 021F 0331 7A65 7258 | eD .8By ...1zerX
00000040 | 1F2D 021F 0256 6972 7573 0F0D 0A55 5345 | .-...Virus...USE
00000050 | 5248 4F53 5420 5553 417C 5850 7C53 5032 | RHOST USA|XP|SP2
00000060 | 7C30 307C 3935 3136 0D0A 4D4F 4445 2055 | |00|9516..MODE U
00000070 | 5341 7C58 507C 5350 327C 3030 7C39 3531 | SA|XP|SP2|00|951
00000080 | 3620 2D78 2B69 0D0A 4A4F 494E 2023 6C23 | 6 -x+i..JOIN #l#
00000090 | 206C 346D 6F0D 0A                       |  l4mo..

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.