W32/Raleka.worm

Discussion in 'malware problems & news' started by rerun2, Aug 27, 2003.

Thread Status:
Not open for further replies.
  1. rerun2
    Offline

    rerun2 Registered Member

    Another worm that spreads using the RPC vuln.

    "This threat was proactively detected as a variant of Exploit-DcomRpc with the 4288 DAT files and the 4.2.40 or higher scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default).

    This is a detection for a new worm exploiting the 'Windows RPC Service' vulnerability (MS03-026 patch ) . When the worm is executed, it tries to download two files from the IP address 212.59.199.45:

    * NTROOTKIT.EXE (128000 bytes)
    * NTROOTKIT.REG (245 bytes)

    These files are downloaded to the Windows System directory and are detected as "NTRootkit-E" with 4289 DATs or later.

    The worm uses its own engine to connect to an IRC Server (IRC.IRCSOULZ.NET:6667) and join a channel.

    After the worm successfully infects a machine, it tries to overwrite the SVCHOST.EXE in SYSTEM folder and gives the order for the victim machine to download both NTROOTKIT files from the attacking host rather than downloading it from the IP address mentioned above.

    Finally the IP address of the victim machine is written to a file called "RPCSS.INI" within the Windows System directory on the attacking machine."

    http://vil.nai.com/vil/content/v_100574.htm

    I have tried going to Sophos and KAV for more info but I do not believe they have provided a virus analysis as of yet. Because it tries to download a rootkit, I am not sure if it would have been better if I posted under trojan alerts.
Thread Status:
Not open for further replies.