Re: Microsoft Update Loader msrtwd.exe

[Joe Stewart <jstewart () lurhq com>]

On Thu, 2 Sep 2004 10:16:30 -0400, S.A. Birl wrote:
> Does anyone know how it infects?

Primarily via the LSASS exploit over port 445, but variants have been 
seen with the following additional exploits/password brute-force 
spreading modules:

WebDav
Lsass135
Lsass1025
NetBios
NTPass
Dcom135
Dcom445
Dcom1025
MSSQL
Beagle1
Beagle2
MyDoom
Optix
UPNP
NetDevil
DameWare
Kuang2
Sub7

After the exploit, the bot is copied to the victim using the Windows 
tftp client.

> http://virusscan.jotti.dhs.org/ lists msrtwd.exe as backdoor.sdbot.gen

Yes, some AV companies identify Rbot as SDbot, even though the two look 
almost nothing alike. It could be that Rbot was derived from SDbot, but 
it has grown substantially, and is almost on par with Agobot in terms 
of functionality.

Because there are so many variants, each with a different exe name, it's 
sometimes hard to keep track of them. Just so it can be indexed for 
future reference, here is a list of Rbot exe names we've seen during 
exploit captures, and dates we've seen them spreading over the last 3 
months:

Dates Seen               Exe Name
---------------------------------
2004/06/06 - 2004/06/27  lsrv.exe
2004/06/06 - 2004/08/28  wuapdate16.exe
2004/06/07 - 2004/06/15  sndcfg16.exe
2004/06/07 - 2004/08/30  wuamgrd.exe
2004/06/08 - 2004/06/27  lsac.exe
2004/06/10 - 2004/06/10  winupdos.exe
2004/06/10 - 2004/06/26  dosprmwin.exe
2004/06/11 - 2004/06/11  systemse.exe
2004/06/11 - 2004/08/18  scrgrd.exe
2004/06/13 - 2004/06/13  dude.exe
2004/06/14 - 2004/06/14  esplorer.exe
2004/06/14 - 2004/06/14  landriver32.exe
2004/06/14 - 2004/06/14  mpd.exe
2004/06/14 - 2004/06/14  updatez.exe
2004/06/14 - 2004/06/25  svssshost.exe
2004/06/14 - 2004/08/26  jacfg2.exe
2004/06/17 - 2004/06/26  wuammgr32.exe
2004/06/18 - 2004/06/18  svhost.exe
2004/06/18 - 2004/06/18  wuamgrd32.exe
2004/06/18 - 2004/06/23  wuamagrd.exe
2004/06/20 - 2004/06/20  wloader.exe
2004/06/21 - 2004/08/29  pidserv.exe
2004/06/22 - 2004/09/01  navscan32.exe
2004/06/23 - 2004/06/23  hpsysmon.exe
2004/06/24 - 2004/06/24  winipcfgs.exe
2004/06/24 - 2004/06/24  wwwstream.exe
2004/06/25 - 2004/06/25  lcsrv64.exe
2004/06/25 - 2004/06/25  srvhost.exe
2004/06/25 - 2004/06/25  systemnt.exe
2004/06/25 - 2004/06/25  win64.exe
2004/06/27 - 2004/06/27  win32apisrvr.exe
2004/08/16 - 2004/08/24  soundblaster.exe
2004/08/16 - 2004/08/25  msnmsg.exe
2004/08/16 - 2004/08/27  windowsup.exe
2004/08/16 - 2004/08/29  muamgrd.exe
2004/08/16 - 2004/08/30  winupdater.exe
2004/08/16 - 2004/08/31  win16update.exe
2004/08/16 - 2004/09/01  dllmngr32.exe
2004/08/17 - 2004/08/17  msdev.exe
2004/08/17 - 2004/08/17  svchostc.exe
2004/08/17 - 2004/08/31  javatm.exe
2004/08/17 - 2004/08/31  usbsvc.exe
2004/08/17 - 2004/09/01  msnmsgr.exe
2004/08/18 - 2004/08/18  mnzks.exe
2004/08/18 - 2004/08/18  notepad.exe
2004/08/18 - 2004/08/18  tcpip.exe
2004/08/19 - 2004/08/19  mss3rvices200x.exe
2004/08/19 - 2004/08/19  msservices200x.exe
2004/08/19 - 2004/09/01  iexplore.exe
2004/08/23 - 2004/08/23  msrtwd.exe
2004/08/24 - 2004/08/24  csass.exe
2004/08/24 - 2004/08/24  winxp32.exe
2004/08/24 - 2004/08/26  nmon.exe
2004/08/24 - 2004/08/27  winupdate.exe
2004/08/24 - 2004/09/01  msnplus.exe
2004/08/25 - 2004/08/25  lsas.exe
2004/08/25 - 2004/08/27  dwervdl32.exe
2004/08/26 - 2004/08/26  jutsu.exe
2004/08/26 - 2004/08/26  usb.exe
2004/08/26 - 2004/08/26  win43.exe
2004/08/27 - 2004/08/27  java.exe
2004/08/27 - 2004/08/27  svchost32.exe
2004/08/27 - 2004/08/29  iexplorer.exe
2004/08/27 - 2004/08/30  ati2vid.exe
2004/08/27 - 2004/08/30  svchosts.exe
2004/08/29 - 2004/08/29  server.exe
2004/08/29 - 2004/08/30  nortoanavap.exe
2004/08/29 - 2004/09/02  syswin32.exe
2004/08/30 - 2004/09/02  rsvc32.exe
2004/08/30 - 2004/09/02  vsmons.exe
2004/08/31 - 2004/08/31  winsrv.exe
2004/09/02 - 2004/09/02  sslwina.exe
2004/09/02 - 2004/09/02  winxpini.exe

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html