'Anatomy' and 'treatment' worm XRobots spread through YM

After much information continues to appear about a worm spread through Yahoo! Messenger in the Vietnamese computer user community, aimed at infecting computers into a botnet system for bad intentions, a security research unit has further analyzed the nature of the worm ( this worm).

Xrobots worm removal program

To kill Xrobots worms on infected computers, you can download the Xrobots Remover software (written as soon as the worm appears) to your computer and run the program to automatically find and destroy Xrobots worms, correct them. The registry has been modified by this computer worm.

From 1 am on April 11, the domain name http://xrobots.net was blocked to limit the spread of this YM worm. However, infected computers can be used by XRobots to implant new viruses, spyware, and Trojans, so removing XRobots from the computer should be done as quickly as possible.

However, because there is no specific evidence, the security research unit has performed the "surgery" of this worm, taking its name XRobots (the domain name is deep and used to spread ). The following is a review of expert Nguyen Pho Son, who directly "dissected" the XRobots worm.

1. This is not a virus . It has no feature to infect files, but merely a worm spreading through Yahoo! Messenger. Temporarily named XRobot WORM.

2. XRobot WORM is self-code using AutoIt 3 , a ' freeware BASIC-like scripting language designed for automating the Windows GUI ', used to generate code from user behavior scenarios such as keystroke, mouse. The WORM uses this tool to simplify programming, not to copy the source code and correct it as a preliminary description of a center named 911. Refer to: http://www.autoitscript.com/autoit3 / docs /

I. Analysis of infectious behavior

1. Change key:

[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCache] to C: Documents and Settings [name_Windows_user] Local SettingsTemporary Internet Files with Windows folder installed on drive C

Purpose: change the default directory containing the Robots.exe update file after infection

2. Change the following values ​​in the registry:

Initial value New value

[HKLMSoftwareMicrosoftWindowsCurrent VersionInternet SettingsCachePathsDirectory]

"C: Documents and Settings [name_Windows_user] Local SettingsTemporary Internet FilesContent.IE5" [HKLMSoftwareMicrosoftWindowsCurrent VersionInternet SettingsCachePathsPath1CachePath] "C: Documents and Settings [name_Windows_user] Local SettingsTemporary Internet FilesContent.IE5Cache1" [HKLMSoftwareMicrosoftWindowsCurrent VersionInternet SettingsCachePathsPurrent VersionInternet SettingsCachePathsPath2CachePath

"C: Documents and Settings [name_Windows_user] Local SettingsTemporary Internet FilesContent.IE5Cache2"

[HKLMSoftwareMicrosoftWindowsCurrent VersionInternet SettingsCachePathsPath3CachePath]

"C: Documents and Settings [name_Windows_user] Local SettingsTemporary Internet FilesContent.IE5Cache3"

[HKLMSoftwareMicrosoftWindowsCurrent VersionInternet SettingsCachePathsPath4CachePath]

"C: Documents and Settings [name_Windows_user] Local SettingsTemporary Internet FilesContent.IE5Cache4"

Purpose: set new cache for IE

3. Increase internet cache value to 0x137FE

[HKLMSoftwareMicrosoftWindowsCurrentVersionInternet SettingsCachePathsPathxCacheLimit]

With x is 1,2,3,4

Purpose: increase the size of the cache to keep the Robots.exe file and other things later

4. Move the Cookies, History, and Common AppData folders by changing the following Registry keys:

[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCookies] [HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersHistory] [HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCommon AppData] [HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersAppData]

5. Turn off offline browsing, force users to browse online by replacing the registry key:

[HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsGlobalUserOffline] to 0x0 .

6. Change and force the use of the worm-created configuration, rather than using the default configuration for connecting by changing the registry key:

[HKCUSoftwareMicrosoftwindowsCurrentVersionInternet ettingsConnectionsSavedLegacySettings]

7. Create Messenger.exe file that automatically runs when Win starts by creating the registry key:

[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunYahoo !!!]

Valid:

" C: WINDOWSMessenger.exe "

8. Change Internet Explorer Startpage:

[HKCUSOFTWAREmicrosoftInternet ExplorerMainStart Page] into " http://67.15.40.2/~tranphu/forumtp/ '

Information obtained from XRobot deep surgery.

9. Change the content of the registry of Yahoo! Messenger, so that when a user is infected with a worm, YM will automatically browse the installed site on the network:

[HKCUSoftwareYahoopagerViewYMSGR_Launchcastcontent url] to ' http://xRobots.net/Gift/New/ '

[HKCUSoftwareYahoopagerViewYMSGR_buzzcontent url]

10. Disable the edit Registry tools by adding the following registry key:

[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools] Values ​​of 0x1

11. Continually update the worm , update yourself by downloading the update from http:/// xrobots.net/Gift/Robots.exe and storing it in cache: C: Documents and Settings [name_Windows_user] Local SettingsTemporary Internet FilesContent.IE51DELGLE8Robots [1 ] .exe .

Robots.exe file after being downloaded will be automatically updated by the worm, recorded in the file : WindowsMessenger.exe . As mentioned above, the Messenger.exe file will automatically run when Windows starts.

13. Delete the % windir% pchealthhelpctrbinariesmsconfig.exe file and modify this file, and convert it to % windir% msconfig.exe . Therefore, when the user runs msconfig, he will not see the messenger.exe file of the worm in the Startup option anymore.

II. How to kill

* Removal by hand:

1 - Activate the registry back: Download the file http://securityresponse.symantec.com/avcenter/UnHookExec.inf. Right-click the file, select Install

2 - Go to Start> Run . Run regedit .

3 - Delete the ability to automatically run when starting the computer [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunYahoo !!!]

4 - Delete the main file % windir% Messenger.exe

5 - Delete the folder containing the update file

C: Documents and Settings [name_Windows_user] Local SettingsTemporary Internet FilesContent.IE51DELGLE8Robots [1] .exe.

6 - Copy msconfig.exe file from the uninfected machine to the folder:

% windir% pchealthhelpctrbinaries

* Use Xrobots Remover tool :

1 - Download the Xrobots Remover program to your computer and run it to automatically find and kill Xrobots worms, modify the registry modified by this computer worm.

2 - Run the program and follow the instructions

III. Some comments and recommendations

- This is a very poor worm in terms of technology, almost only hitting the majority of users with no awareness and understanding of the internet to be able to infect. However, considering the intentions of behavior, it is really a matter of concern. For the first time, a "rudimentary" Worm of Vietnamese people infected Vietnamese computer networks with a very dangerous intention!

- It is necessary to have coordinated coordination at the national level in the search for achievements and to control similar threats in the future (technically feasible).

- Another issue also needs to be considered, which is the responsibility of the community of Vietnam 's anti - virus units in responding too slowly to a "rudimentary" made worm. Vietnam like xRobots.

- The main task of Xrobot is to form a botnet network, ie prepare for updating its own content from the file http:/// xrobots.net/Gift/Robots.exe depending on the author's wishes, worm This will install spyware, DDOS client, and other viruses . on the victim's computer.

- ISPs need to have immediate incident response, website block to distribute xrobots.net worm, prevent the update of this worm.

NGUYEN PHO SON ( aka Thug4Lif3 )