Prevent Online Threats
« Worm.Win32.Rahak
Worm.Win32.Randex »

Worm.Win32.Raleka

Details
Worm.Win32.Raleka.a
Raleka is a worm-virus that spreads through the Internet by exploiting a vulnerability in the DCOM RPC service in Microsoft Windows. This vulnerability is detailed in Microsoft Security Bulletin MSO3-026.
The infected file is approx. 14KB in size when packed by UPX.
Installing
When run, the worm downloads and launches the Trojan called ‘Backdoor RtKit (which contains the files ntrootkit.exe and ntrootkit.reg). Raleka then starts its spreading procedure.
Replication
The worm sequentially scans IP addresses beginning from A,B,C,0. where ‘A’ and ‘B’ are taken from the address of the current victim computer and ‘C’ is selected at random.
The worm connects to IP addresses via a TCP connection to port 135 and sends out a specially formulated packet. This packet contains code that allows the worm to remotely run arbitrary commands on infected machines. If an attacked computer is vulnerable to the DCOM RPC exploit the code is automatically run.
If an attack is successful a program file called ‘down.com’ is created and run on the victim machine. This program loads the files ’svchost32.exe (the worm file), ’service.exe’ (a auxiliary file that loads services) and ‘ntrootkit.exe’ (Backdoor.RtKit).
Svchost32.exe is copied to a Windows sub directory under the name ’svchost.exe’. Additionally, a command file is created in the Windows directory that executes the svchost.exe program file. With the help of the program file ’service.exe’, this command file is set for automatic execution upon the next operating system restart.
Other
The Raleka worm launches an HTTP server on infected computers that it uses to load the worm files ’service.exe’ and ‘ntrootkit.exe’ (see “Replication” above). Then the worm connects to the IRC server ‘ircircsoulz.net and from which it can execute commands such as:
Connect to an IRC channel as indicated in the command
Upload processes from memory
Download files from the Internet
Launch files
Install the patch curing the DCOM vulnerability (it loads the patch version intended for the Spanish version of Windows XP)
Download new worm versions from indicated sites
Send out a list of IP addresses identified in scans as being open to the DCOM RPC vulnerability (see “Replication” above)

Related Posts

  • IM-Worm.Win32.Bropia.a
  • Email-Worm.Win32.Bagle.c
  • Worm.Win32.VB.a
  • Email-Worm.Win32.Sober
  • Email-Worm.Win32.Doombot

    • This entry was posted on Friday, August 29th, 2008 at 7:50 pm and is filed under Virus Threats.

    Leave a Reply

    Spyware Removal Spyware Protection Tools