6/9: Rbot.AF Uses NetBEUI Functions

6/9: Rbot.AF Uses NetBEUI Functions
June 9, 2004

Worm_Rbot.AF is a worm that spreads through network shares. It uses NetBEUI functions to gather available lists of user names and passwords. It uses these user names and passwords to drop a copy of itself in available network shares.

It drops a copy of itself in the Windows system folder using the file name WSERV32.EXE. This worm also uses a certain list of user names and passwords aside from those that it is able to gather. It also generates random IP addresses and attempts to drop a copy of itself in default folders of target addresses.

This worm is known to exploit the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages:

MS04-011_MICROSOFT_WINDOWS

Microsoft Security Bulletin MS04-011

It opens a varied port and connects to an Internet Relay Chat (IRC) server and joins an IRC channel to receive malicious commands. It also has the capability to automatically notify the IRC bot if any of the systems have the following Windows vulnerabilities:

RPC/DCOM vulnerability

RPC/Locator vulnerability

WebDAV vulnerability

Information on these vulnerabilities are available in the following sites:

Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Technical details are at Trend Micro page.