Proactive IT Security
 

W32/Raleka.A, B and C

Threat risk

Threat risk low
Detection files published:
29 Aug 2003
Description created:
2003-08-29
Description updated:
2003-09-01
Malware type:
Bot / Botnet, Worm
Alias:
Spreading mechanism
Network
Payload:
Compromises system security

Summary

The Raleka family of worms spreads through the DCOM RPC exploit, the same method used as the W32/Blaster worms.

For the time being we know three variants of this worm.

They attempt to download and install a hacker tool called NtRootkit. NtRootkit is a utility that hides itself and can hide other malicious processes. Thus, it may be difficult to find the malicous processes on infected machines. This utility can be attempted downloaded from a predefined web page (which is now down) or from the infected machine.

The worm also attempts to connect to IRC servers and join a channel on these; where it announces its presence and can receive commands.

Spreading description

When the worm is executed, it first attempts to download components from predefined web pages. This download fails because these pages are down.

It will then attempt to connect to other computers using semi-random IP numbers, and tries to infect these using the DCOM-RPC vulnerability.

The worm creates a file called DOWN.COM, which attempts to connect back to the infected system and download additional components:

SVCHOST32.EXE
SERVICE.EXE
NTROOTKIT.EXE
NTROOTKIT.REG

This is done through a simple web server that the worm sets up at a random port above port 32768.

Threat description

The worm installs backdoor functionality on an infected machine so that outsiders may gain access to it. The additional installation of the NtRootkit program may make some of these programs hard to find.

Removal


 

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Usage Title Comment
  Stopping network share infectors  
  Cleaning of back-up folders on Windows Me and XP  
Print page