Raleka.B DCOM RPC Worm Spreading in the Wild

[Kathie Brinkman <brinkmkb () MUOHIO EDU>]

FYI, per our intrusion detection vendor - Symantec has information on this
as well.


HIGH - ": Raleka.B is a new variant of the DCOM RPC-exploiting Raleka worm
family. This worm attempts to compromise vulnerable computers, uploading
copies of itself on the remote computer.

Raleka.B attempts to install four files on the remote computer:
svchost.exe, ntrootkit.exe, ntrootkit.reg and service.exe. Svchost.exe
(14,880 bytes) is the worm, ntrookit.exe is a Trojan detected as
Troj/RtKit-11 and/or BKDR_NTRTKT.A, ntrootkit.reg is a file used to execute
the Trojan on Microsoft Corp.'s Windows XP and service.exe is a legitimate
program that is not inherently malicious.

Once installed, the worm attempts to patch against the DCOM RPC
vulnerability and works as a backdoor Trojan. A file is created in the
current directory, svchost.ini, containing a list of all the IP addresses
scanned by the worm. It attempts to connect to remote IRC servers to
receive instructions from a remote attacker. The worm can also reportedly
update itself through a remote website at http://update.hopOMMITTED
TEXTto.org/. The body of the worm contains the text BenderBOT.

Alias: W32/Raleka-B, W32.HLLW.Raleka, Win32/Raleka.A, Worm.Win32.Raleka.b,
Raleka, Raleka.B, BKDR_NTRTKT.A, BenderBOT" - iDEFENSE



_______________________________
Kathleen B. Brinkman
Senior Manager, IT Services Support Desk
312-A Hoyt Hall, Miami University
mailto: brinkmkb () muohio edu
voice: 513.529.5947
fax: 513.529.1496

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.