On Thu, 2 Sep 2004 10:16:30 -0400, S.A. Birl wrote: >Does anyone know how it infects?
Primarily via the LSASS exploit over port 445, but variants have been seen with the following additional exploits/password brute-force spreading modules: WebDav Lsass135 Lsass1025 NetBios NTPass Dcom135 Dcom445 Dcom1025 MSSQL Beagle1 Beagle2 MyDoom Optix UPNP NetDevil DameWare Kuang2 Sub7 After the exploit, the bot is copied to the victim using the Windows tftp client. > http://virusscan.jotti.dhs.org/ lists msrtwd.exe as backdoor.sdbot.gen Yes, some AV companies identify Rbot as SDbot, even though the two look almost nothing alike. It could be that Rbot was derived from SDbot, but it has grown substantially, and is almost on par with Agobot in terms of functionality. Because there are so many variants, each with a different exe name, it's sometimes hard to keep track of them. Just so it can be indexed for future reference, here is a list of Rbot exe names we've seen during exploit captures, and dates we've seen them spreading over the last 3 months: Dates Seen Exe Name --------------------------------- 2004/06/06 - 2004/06/27 lsrv.exe 2004/06/06 - 2004/08/28 wuapdate16.exe 2004/06/07 - 2004/06/15 sndcfg16.exe 2004/06/07 - 2004/08/30 wuamgrd.exe 2004/06/08 - 2004/06/27 lsac.exe 2004/06/10 - 2004/06/10 winupdos.exe 2004/06/10 - 2004/06/26 dosprmwin.exe 2004/06/11 - 2004/06/11 systemse.exe 2004/06/11 - 2004/08/18 scrgrd.exe 2004/06/13 - 2004/06/13 dude.exe 2004/06/14 - 2004/06/14 esplorer.exe 2004/06/14 - 2004/06/14 landriver32.exe 2004/06/14 - 2004/06/14 mpd.exe 2004/06/14 - 2004/06/14 updatez.exe 2004/06/14 - 2004/06/25 svssshost.exe 2004/06/14 - 2004/08/26 jacfg2.exe 2004/06/17 - 2004/06/26 wuammgr32.exe 2004/06/18 - 2004/06/18 svhost.exe 2004/06/18 - 2004/06/18 wuamgrd32.exe 2004/06/18 - 2004/06/23 wuamagrd.exe 2004/06/20 - 2004/06/20 wloader.exe 2004/06/21 - 2004/08/29 pidserv.exe 2004/06/22 - 2004/09/01 navscan32.exe 2004/06/23 - 2004/06/23 hpsysmon.exe 2004/06/24 - 2004/06/24 winipcfgs.exe 2004/06/24 - 2004/06/24 wwwstream.exe 2004/06/25 - 2004/06/25 lcsrv64.exe 2004/06/25 - 2004/06/25 srvhost.exe 2004/06/25 - 2004/06/25 systemnt.exe 2004/06/25 - 2004/06/25 win64.exe 2004/06/27 - 2004/06/27 win32apisrvr.exe 2004/08/16 - 2004/08/24 soundblaster.exe 2004/08/16 - 2004/08/25 msnmsg.exe 2004/08/16 - 2004/08/27 windowsup.exe 2004/08/16 - 2004/08/29 muamgrd.exe 2004/08/16 - 2004/08/30 winupdater.exe 2004/08/16 - 2004/08/31 win16update.exe 2004/08/16 - 2004/09/01 dllmngr32.exe 2004/08/17 - 2004/08/17 msdev.exe 2004/08/17 - 2004/08/17 svchostc.exe 2004/08/17 - 2004/08/31 javatm.exe 2004/08/17 - 2004/08/31 usbsvc.exe 2004/08/17 - 2004/09/01 msnmsgr.exe 2004/08/18 - 2004/08/18 mnzks.exe 2004/08/18 - 2004/08/18 notepad.exe 2004/08/18 - 2004/08/18 tcpip.exe 2004/08/19 - 2004/08/19 mss3rvices200x.exe 2004/08/19 - 2004/08/19 msservices200x.exe 2004/08/19 - 2004/09/01 iexplore.exe 2004/08/23 - 2004/08/23 msrtwd.exe 2004/08/24 - 2004/08/24 csass.exe 2004/08/24 - 2004/08/24 winxp32.exe 2004/08/24 - 2004/08/26 nmon.exe 2004/08/24 - 2004/08/27 winupdate.exe 2004/08/24 - 2004/09/01 msnplus.exe 2004/08/25 - 2004/08/25 lsas.exe 2004/08/25 - 2004/08/27 dwervdl32.exe 2004/08/26 - 2004/08/26 jutsu.exe 2004/08/26 - 2004/08/26 usb.exe 2004/08/26 - 2004/08/26 win43.exe 2004/08/27 - 2004/08/27 java.exe 2004/08/27 - 2004/08/27 svchost32.exe 2004/08/27 - 2004/08/29 iexplorer.exe 2004/08/27 - 2004/08/30 ati2vid.exe 2004/08/27 - 2004/08/30 svchosts.exe 2004/08/29 - 2004/08/29 server.exe 2004/08/29 - 2004/08/30 nortoanavap.exe 2004/08/29 - 2004/09/02 syswin32.exe 2004/08/30 - 2004/09/02 rsvc32.exe 2004/08/30 - 2004/09/02 vsmons.exe 2004/08/31 - 2004/08/31 winsrv.exe 2004/09/02 - 2004/09/02 sslwina.exe 2004/09/02 - 2004/09/02 winxpini.exe -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
