Educause Security Discussion mailing list archives
Raleka.B DCOM RPC Worm Spreading in the Wild
From: Kathie Brinkman <brinkmkb () MUOHIO EDU>
Date: Wed, 3 Sep 2003 17:42:02 -0400
FYI, per our intrusion detection vendor - Symantec has information on this as well. HIGH - ": Raleka.B is a new variant of the DCOM RPC-exploiting Raleka worm family. This worm attempts to compromise vulnerable computers, uploading copies of itself on the remote computer. Raleka.B attempts to install four files on the remote computer: svchost.exe, ntrootkit.exe, ntrootkit.reg and service.exe. Svchost.exe (14,880 bytes) is the worm, ntrookit.exe is a Trojan detected as Troj/RtKit-11 and/or BKDR_NTRTKT.A, ntrootkit.reg is a file used to execute the Trojan on Microsoft Corp.'s Windows XP and service.exe is a legitimate program that is not inherently malicious. Once installed, the worm attempts to patch against the DCOM RPC vulnerability and works as a backdoor Trojan. A file is created in the current directory, svchost.ini, containing a list of all the IP addresses scanned by the worm. It attempts to connect to remote IRC servers to receive instructions from a remote attacker. The worm can also reportedly update itself through a remote website at http://update.hopOMMITTED TEXTto.org/. The body of the worm contains the text BenderBOT. Alias: W32/Raleka-B, W32.HLLW.Raleka, Win32/Raleka.A, Worm.Win32.Raleka.b, Raleka, Raleka.B, BKDR_NTRTKT.A, BenderBOT" - iDEFENSE _______________________________ Kathleen B. Brinkman Senior Manager, IT Services Support Desk 312-A Hoyt Hall, Miami University mailto: brinkmkb () muohio edu voice: 513.529.5947 fax: 513.529.1496 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Raleka.B DCOM RPC Worm Spreading in the Wild Kathie Brinkman (Sep 03)