Effects 

Rinbot.B carries out the following actions:

• It connects to an IRC server in order to receive remote control commands, which allow its author to gain total control over the affected computer.
• It downloads the Trojan detected as Spammer.ZV in the affected computer from the website:
  http://217.6<blocked>12/phpbb/uploads

Infection strategy 

Rinbot.B creates the following files:

• ECLIPSE.EXE, in the Windows system directory. This file is a copy of the worm.
• LSAASVR.EXE, in the Windows directory. This file belongs to Trj/Spammer.ZV and it is registered as a system service called LSA Server.

Rinbot.B creates the following entries in the Windows Registry:

• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  Eclipse Environment = %sysdir%\eclipse.exe
  where %sysdir% is the Windows system directory.
  By creating this entry, Rinbot.B ensures that it is run whenever Windows is started.
• HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet002\ Enum\ USBSTOR\ Disk&Ven_LG&Prod_X-TICK_2.0&Rev_1.00\ 7&329ea97c&0
  Mfg = (standard drive units)
  By creating this entry, Rinbot.B searches drives connected via USB.
• HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet002\ Services\ SharedAccess\ Parameters\ E
  By creating this entry, Rinbot.B obtains permission to copy in the mapped drives.

Means of transmission 

Rinbot.B spreads across the Internet, computer networks, via mapped drives and through storage devices.

1.- Transmission across the Internet.

• It generates random IP addresses.
• It attempts to exploit the vulnerabilities LSASS and RPC DCOM on the remote computers.
• If successful, it uses a script in order to transfer a copy of itself to the compromised computer.

2.- Transmission across networks.

• If the affected computer belongs to a network, Rinbot.B attempts to access the network shared resources.
• In order to do so, it uses passwords or user names that are typical or easy to guess.
• If successful, Rinbot.B makes copies of itself to the shared resources.

3.- Transmission via mapped drives.

• Rinbot.B checks if the infected computer is connected to a network.
• If so, it makes an inventory of all mapped drives and creates a copy of itself in each of them.

4.- Transmission through storage devices.

• Rinbot.B creates a copy of itself in the storage devices connected via USB.

Further Details  

Rinbot.B is written in the programming language Visual C++ v6. This worm is 212,992 bytes in size and it is compressed.

Additionally, in the code of the worm there is a fake CNN interview with the author of Rinbot.B:

- Who are you?

- Hacker(s).

- Are you actually disgruntled?

- No.

- Then why are you actively going after Symantec?

- The worm is designed for getting the highest yield of computers infected, not to aggravate Symantec; there is no hate.

- So why attack the Symantec anti-virus program?

- A lot of businesses and universities run the application, making it a prime target for exploitation.

- Are you aware that your worm is crippling computer networks?

- Yes that can happen on slow networks or networks with many computers; the worm also searches and removes other worms from the system, acting as a small anti-virus program if you will. If you wish not to have those problems keep your software updated.

- Why did you taunt Symantec and other security companies?

- They were the first to list the worm on their site and try and get servers shut down.

- What do you intent to use the infected computers for?

- Nothing very malicious; no fraud or anything like that.

- What is the real name of the worm and how did you come up with it?

- The real name is IrnBot, it is named after a popular soft drink called IrnBru.

- Thank you for your time author of Rinbot. You are very welcome CNN, thank you for the opportunity to explain.