Effects
Rinbot.B carries out the following actions:
- It connects to an IRC server in order to receive remote control commands, which allow its author to gain total control over the affected computer.
- It downloads the Trojan detected as Spammer.ZV in the affected computer from the website:
http://217.6<blocked>12/phpbb/uploads
Infection strategy
Rinbot.B creates the following files:
- ECLIPSE.EXE, in the Windows system directory. This file is a copy of the worm.
- LSAASVR.EXE, in the Windows directory. This file belongs to Trj/Spammer.ZV and it is registered as a system service called LSA Server.
Rinbot.B creates the following entries in the Windows Registry:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Eclipse Environment = %sysdir%\eclipse.exe
where %sysdir% is the Windows system directory.
By creating this entry, Rinbot.B ensures that it is run whenever Windows is started. - HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet002\ Enum\ USBSTOR\ Disk&Ven_LG&Prod_X-TICK_2.0&Rev_1.00\ 7&329ea97c&0
Mfg = (standard drive units)
By creating this entry, Rinbot.B searches drives connected via USB. - HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet002\ Services\ SharedAccess\ Parameters\ E
By creating this entry, Rinbot.B obtains permission to copy in the mapped drives.
Means of transmission
Rinbot.B spreads across the Internet, computer networks, via mapped drives and through storage devices.
1.- Transmission across the Internet.
- It generates random IP addresses.
- It attempts to exploit the vulnerabilities LSASS and RPC DCOM on the remote computers.
- If successful, it uses a script in order to transfer a copy of itself to the compromised computer.
2.- Transmission across networks.
- If the affected computer belongs to a network, Rinbot.B attempts to access the network shared resources.
- In order to do so, it uses passwords or user names that are typical or easy to guess.
- If successful, Rinbot.B makes copies of itself to the shared resources.
3.- Transmission via mapped drives.
- Rinbot.B checks if the infected computer is connected to a network.
- If so, it makes an inventory of all mapped drives and creates a copy of itself in each of them.
4.- Transmission through storage devices.
- Rinbot.B creates a copy of itself in the storage devices connected via USB.
Further Details
Rinbot.B is written in the programming language Visual C++ v6. This worm is 212,992 bytes in size and it is compressed.
Additionally, in the code of the worm there is a fake CNN interview with the author of Rinbot.B:
- Who are you?
- Hacker(s).
- Are you actually disgruntled?
- No.
- Then why are you actively going after Symantec?
- The worm is designed for getting the highest yield of computers infected, not to aggravate Symantec; there is no hate.
- So why attack the Symantec anti-virus program?
- A lot of businesses and universities run the application, making it a prime target for exploitation.
- Are you aware that your worm is crippling computer networks?
- Yes that can happen on slow networks or networks with many computers; the worm also searches and removes other worms from the system, acting as a small anti-virus program if you will. If you wish not to have those problems keep your software updated.
- Why did you taunt Symantec and other security companies?
- They were the first to list the worm on their site and try and get servers shut down.
- What do you intent to use the infected computers for?
- Nothing very malicious; no fraud or anything like that.
- What is the real name of the worm and how did you come up with it?
- The real name is IrnBot, it is named after a popular soft drink called IrnBru.
- Thank you for your time author of Rinbot. You are very welcome CNN, thank you for the opportunity to explain.