“Dissection” and “treatment” of worm XRobots spreading through YM

After numerous reports surfaced about a worm spreading through Yahoo! Messenger within the Vietnamese computer user community, aimed at infecting computers to form a botnet for malicious purposes, a security research unit has further analyzed the nature of this worm.

As of 1 AM on April 11, the domain http://xrobots.net has been blocked to limit the spread of this YM worm. However, computers infected with XRobots may be exploited by the authors to implant additional viruses, spyware, or trojans, so it is crucial to remove XRobots from affected computers as quickly as possible.

Nevertheless, due to the lack of concrete evidence, the security research unit that conducted the “dissection” of this worm has named it XRobots (the domain hosting the worm and used for its distribution). Below is the assessment from expert Nguyễn Phố Sơn, who directly analyzed the XRobots worm.

1. This is not a virus. It does not have the capability to infect files, but is merely a type of worm that spreads through Yahoo! Messenger. It is temporarily named Worm XRobot.

2. Worm XRobot is self-coded using AutoIt 3, a program designed for automating the Windows GUI with a “freeware BASIC-like scripting language”. It generates code from user behavior scripts like keystrokes and mouse movements. The worm utilizes this tool to simplify programming, rather than copying source code and modifying it, as initially assumed by a center named 911. For reference, visit: http://www.autoitscript.com/autoit3/docs/

I. Infection Behavior Analysis

1. Registry Key Changes:

[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCache] to value C:Documents and Settings[Windows_user_name]Local SettingsTemporary Internet Files with Windows installed on drive C.

Purpose: to change the default directory containing the updated Robots.exe file after infection.

2. Changes to the following registry values:

Purpose: to set a new cache for Internet Explorer.

3. Increase internet cache value to 0x137FE

[HKLMSoftwareMicrosoftWindowsCurrentVersionInternet SettingsCachePathsPathxCacheLimit]

Where x is 1,2,3,4.

Purpose: to increase cache size to store the Robots.exe file and other subsequent files.

4. Change the Cookies, History, and Common AppData folders by modifying the following Registry keys:

[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCookies] [HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersHistory][HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCommon AppData][HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersAppData]

5. Disable offline browsing, forcing users to browse online by changing the registry key:

[HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsGlobalUserOffline] to 0x0.

6. Change and enforce the use of the configuration created by the worm, instead of the default configuration for connections by modifying the registry key:

[HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnectionsSavedLegacySettings]

7. Create the Messenger.exe file to run automatically when Windows starts by creating the registry key:

[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunYahoo!!!]

With the value:

“C:WINDOWSMessenger.exe“

8. Change the Startpage of Internet Explorer:

[HKCUSOFTWAREmicrosoftInternet ExplorerMainStart Page] to “http://67.15.40.2/~tranphu/forumtp/”

Information obtained from the dissection of the XRobot worm.

9. Modify Yahoo! Messenger registry entries, so that when users are infected with the worm, YM will automatically browse to a pre-set webpage:

[HKCUSoftwareYahoopagerViewYMSGR_Launchcastcontent url] to “http://xRobots.net/Gift/New/”

[HKCUSoftwareYahoopagerViewYMSGR_buzzcontent url]

10. Disable registry editing tools by adding the following registry key:

[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools] with the value of 0x1.

11. Continuously update the worm, self-upgrading by downloading updates from http://xrobots.net/Gift/Robots.exe and storing it in cache: C:Documents and Settings[Windows_user_name]Local SettingsTemporary Internet FilesContent.IE51DELGLE8Robots[1].exe.

The Robots.exe file, once downloaded, will be automatically updated by the worm, overwriting the file :WindowsMessenger.exe. As mentioned earlier, the Messenger.exe file will run automatically when Windows starts.

13. Delete the file %windir%pchealthhelpctrbinariesmsconfig.exe and modify this file to move it to %windir%msconfig.exe. Therefore, when users run msconfig, they will not see the worm’s messenger.exe file in the Startup options anymore.

II. Removal Methods

* Manual Removal:

1 – Reactivate the registry: Download the file http://securityresponse.symantec.com/avcenter/UnHookExec.inf. Right-click on the file and select Install.

2 – Go to Start > Run. Run regedit.

3 – Delete the autorun entry [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunYahoo!!!].

4 – Delete the main file %windir%Messenger.exe.

5 – Delete the folder containing the update file C:Documents and Settings[Windows_user_name]Local SettingsTemporary Internet FilesContent.IE51DELGLE8Robots[1].exe.

6 – Copy the msconfig.exe file from an uninfected machine to the folder:

%windir%pchealthhelpctrbinaries

* Using the tool Xrobots Remover:

1 – Download the Xrobots Remover program to your computer and run it to allow the program to automatically find and eliminate the Xrobots worm, as well as fix the registry entries modified by this malware.

2 – Run the program and follow the instructions.

III. Observations and Recommendations

– This worm is technically very weak, primarily targeting a large number of users who lack awareness and understanding of the internet, making them susceptible to infection. However, in terms of the intent behind this behavior, it is truly a matter that requires attention. For the first time, a “primitive” worm created by a Vietnamese individual has spread significantly within the computer networks of Vietnam, posing a very dangerous threat!

– There is an urgent need for coordinated efforts at the national level to trace the origins and control similar threats in the future (which is entirely feasible from a technical standpoint).

– Another issue that needs to be addressed is the responsibility of the organizations in Vietnam handling virus prevention, as their response to a “primitive” worm like Xrobots has been exceedingly slow.

– The main task of the Xrobots worm is to establish a botnet, which prepares for its own content updates from the file http://xrobots.net/Gift/Robots.exe as desired by the author. This worm will install spyware, DDOS clients, and other viruses on the victim’s machine.

– ISPs need to implement immediate incident response measures, block the website spreading the Xrobots worm (xrobots.net), and prevent updates from this type of worm.

NGUYỄN PHỐ SƠN (aka Thug4Lif3)