Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Autorooter

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Autorooter has the following effects:

  • It allows a hacker to gain remote access to the affected computer, in order to perform the following actions, among others: reformat the hard disk drive, add new users, etc.
  • It downloads backdoor type files.
  • It opens the ports 135, 139 and 445.

Infection strategy 

Autorooter creates the following files in the C: root directory:

  • TFTPD.EXE: this file is a FTP server that the Trojan uses to download a file containing a backdoor Trojan to the affected computer.
  • RPC.EXE: this file runs the FTP server and generates IP addresses.
  • RPCTEST.EXE: it sends a string to all of the IP addresses generated by RPC.EXE.
  • LOLX.EXE or DCOM.EXE: this is a file contains a backdoor Trojan, and it can accompany the Trojan or it can be downloaded via FTP. This file is detected by Panda Antivirus as Bck/IRCbot.gen.

Autorooter follows the infection routine below:

  • It activates when it is run, and it installs the programs TFTPD.EXE, RPC.EXE and RPCTEST.EXE on the affected computer.
  • It generates IP addresses whose first byte can be one of the following: 4, 12, 24, 64, 65, 68, 128, 165, 208, 211, 213, 217, 218 or 220; the second byte is a random number, and the other two bytes increase sequentially.
  • Whenever Autorooter finds a valid IP address, it connects to the machine and checks if it can take advantage of the DCOM-RPC exploit by sending a string.
  • If succesful, Autorooter uses the FTP server TFTPD.EXE to download a file containing a backdoor Trojan called LOLX.EXE or DCOM.EXE.
  • This file allows the affected computer to be controlled remotely.

Means of transmission 

Autorooter does not use any specific means to spread. It can reach computers through the normal means used by viruses: e-mail messages with infected attachments, computer networks, CD-ROMs, Internet downloads, FTP, floppy disks, etc.

Further Details  

Autorooter is written in the programming language Visual Basic. The file carrying the worm is is 113,507 bytes in size when it is compressed with UPX.

The file RPC.EXE is written in Visual Basic, and it is 40,960 bytes in size. The files RPCTEST.EXE and TFTPD.EXE are 92 and 140 kilobytes in size, respectively.