More on the Rinbot family of computer worms

The Trojans ShotOne and Yabarasu, the Rinbot family of worms and the Expiro.A virus are the subjects of this week’s PandaLabs report. ShotOne causes a series of problems on infected computers. With modifications to the Windows registry, it can prevent Windows updates and block access to the File menu in Internet Explorer or Windows Explorer. It also hides the properties in “My documents” and “My computer”.

Other malicious effects include disabling the taskbar right-click menu and the Start button, hiding Notification Area icons and preventing access to the “Run’ and “Search’ options in the start menu.

This Trojan runs whenever the system is started up. When it does so, it displays a series of screens that make it impossible to use the computer. It also restarts any running computers it has infected every three hours. The second Trojan in today’s report is Yabarasu, which runs every time the system starts up and displays the following screen. 

Yabarasu copies itself on infected systems. In order to trick users, it hides all file extensions and the tooltip (information box that appears in Windows when you place the cursor on a file). Yabarasu also hides folders in the C: drive and replaces them for a copy of itself with the same name and icon as the original. When users run one of these files, they will really be running the Trojan.

Both ShotOne and Yabarasu reach computers in emails, file downloads, infected storage devices, etc.

This week PandaLabs has detected several variants of the Rinbot family of worms: Rinbot.B, Rinbot.F, Rinbot.G and Rinbot.H. These worms spread by copying themselves on mapped drives or shared network resources. They also copy themselves to USB devices (MP3 players, memory sticks,-¦) that connect to the computer.

Some variants also exploit certain vulnerabilities to spread. Rinbot.B for example, uses the LSASS and RPC DCOM vulnerabilities. The patches for these security flaws have been available for some time.

Rinbot.G, exploits a flaw in SQL Server to authenticate as a user. Once it reaches a computer, the worm downloads a copy of itself via TFTP. It then runs on the system.

Rinbot.H also exploits a vulnerability in order to spread. In this case it looks for servers with the MS01-032 vulnerability, fixed by the Microsoft patch of the same name.

The Rinbot worms are designed to open a port on the computer and connect to an IRC server. This allows a hacker to control the computer remotely.
It also downloads the Spammer.ZV Trojan from the Internet, which is designed to send out spam to addresses it finds on infected computers. Finally, it alters the security settings and system permissions of Internet Explorer, thereby reducing the security level of the computer.

One interesting aspect of the code of Rinbot.B is that it includes the transcript of what it claims is a CNN interview with the creators of this family of worms explaining their reasons for creating it. You can read it here.
“This is one of the most notable features of the new malware dynamic. The creators of malware increase the chances of infecting computers by launching numerous, almost simultaneous, variants. This also reduces public concern about threats and therefore users are not on their guard.” explains Luis Corrons. 
Expiro.A is the last virus in this week’s report. It infects executable files (.exe) in the Program Files folder and subfolders. It also infects the directory with the copy of the virus.

When users open the infected file, the virus is run along with the genuine file. This is in order to confuse users as they won’t see any visible signs of infection

Expiro.A stops its processes if it suspects that it is being scanned by any security solution. Several sections of this malicious code are encrypted in order to make it more difficult to detect. 


Share this