Worm.Win32.Autoroote
Details
Worm.Win32.Autorooter
Autorooter is a multi-component Win32 worm that is designed to spread through local and global networks, however, the spreading routines are not complete in the current version.
The worm got its name from the text strings found in its main component:
rpc autorooter by ERIC
RPC autorooter
To spread the worm exploits the MS Windows DCOM RPC vulnerability. This vulnerability is described in Microsoft Security Bulletin MS03-026.
The File Archive (package)
The Autorooter worm is a Win32 SFX ZIP file (self-extracting archive) about 114KB in size, it contains three files:
rpc.exe - 41KB, main component (starter), detected as Worm.Win32.Autorooter
tftpd.exe - 144KB, legitimate FTP server
rpctest.exe - 95KB, exploit, detected as Exploit.Win32.DCom
When the SFX package is executed it extracts these three files from the root directory on the C: drive and runs the rpc.exe main component.
Main Component rpc.exe
The main component runs the tftpd.exe file and tries to download the lolx.exe file from a remote site. The known lolx.exe file is a backdoor trojan and is detected as Backdoor.SdBot.gen.
The worm then searches for remote machines and tries to establish a connection on port 445. The IP addresses (a.b.c.d) for scanning are generated randomly according to the following algorithm:
The ‘a’ value is selected from following list (all values are used):
24, 12, 211, 217, 218, 220, 4, 68, 165, 65, 213, 64, 208, 128
The ‘b’ value is a random number from 0 up to 255. The ‘c’ and ‘d’ select any variant between 1 and 255.
For example, if the ‘a’ is 68, and the ‘b’ is 120 the worm will search for machines at all addresses in the range 68.120.0.1 - 68.120.255.255.
The worm searches for remote machines in these ranges, connects to any machines that it finds and sends the exploit code to it. To send the exploit the worm runs the rpctest.exe component. This component sends a buffer-overrun request that starts a command shell on port 57005 on vulnerable (victim) machines.
rpctest.exe component
This is the exploit tool. It contains the following text string:
USE THE FORZ LUKE!
tftd.exe component
This is a legitime HaneWin TFTP server. It is installed on port 69 by the Autorooter main component and downloads the backdoor component.
Summary
Even though this file package does not contain any auto-replication functions, we still consider it to be more of a worm-type program rather than merely a backdoor or a hacktool.
We believe that this version is only a test version of a new worm that already contains enough functions to provide for self-replication. It is possible that the author aimed to set up a widely dispersed network of hacked computers for later use in hacker or virus attacks.
Our Recommendations
Apply the patch from Microsoft.
Block TCP ports 135, 139 and 445 in your local firewall.
Related Posts