Raleka is a network worm that exploits the same RPC vulnerability as the
MSBlast/Lovsan family. The worm contains an IRC-controlled backdoor
with a command that downloads the patch from Microsoft and fixes the
RPC vulnerability on the infected computer.
Please refer to the Lovsan description for links and instructions on
patching vulnerable hosts:
The Raleka worm was written in C language and spreads in UPX-packed
form. The worm's body weights 41504 bytes when it's unpacked.
When the worm is started it attempts to download three files from
predefined web locations from the web:
- svchost32.exe: possibly and updated version of the worm
- ntrootkit.exe: update for the NT backdoor
- ntrootkit.reg: update for the NT backdoor's installation registry file
The registry file contains compatibility settings for the backdoor
when running under Windows XP. Since the tool (reg.exe) the worm
uses to install the registry file is part of Windows XP only these
settings will be applied only on that version.
The downloaded backdoor components are detected as Backdoor.RtKit.11.a
by FSAV.
Network Propagation
Raleka scans random ranges of IP addresses attempting to exploit
the RPC/DCOM vulnerability. It uses 100 parallel threads for
scanning which makes it quite aggressive.
When a vulnerable hosts is found the worm creates a file called
'down.com' through the shell the RPC exploit provides. There is
a bug in the worm which results in broken 'down.com' if the host
is attacked by two Raleka worms at the same time. Even though
this does not sound probable, it has been reported from several
different places.
The file 'down.com' is a small downloader application wrapped
into and ASCII armor using and old DOS utility called NETSEND.
When the DOS COM file is executed it drops the decoded Windows
executable and runs it.
The worm has a built-in HTTP server. This server is used by
the downloader to transfer the worm and the backdoor components.
The HTTP server is listening on a random port above 32768.
When the downloader is invoked on the remote host it gets the
attacker computer's IP address and the random HTPP port number
as parameters. Using this information the
downloader fetches the necessary files and installs the worm.
The following files are copied using the HTTP server:
- svchost.exe: the worm from Windows System directory
- ntrootkit.exe: NT backdoor
- ntrootkit.reg: Registry file for the backdoor
As soon as the files are installed the worm runs and starts
to scan for vulnerable hosts.
In the end the infection manifests on the computer in
the following places:
Files:
%windir%\system\svchost.exe: the worm itself
%windir%\system\svchost32.exe: the updated version of the worm
%windir%\system32\ntrootkit.exe: NT backdoor
%windir%\system32\ntrootkit.reg: Registry file for NT backdoor
%windir%\system32\svchost.cmd: Batch file to start the worm
A service named 'svchost' is created with the description 'Remote_Procedure_Call'.
Built-in backdoor
Raleka has an IRC backdoor component, which will connect to one
server from a predefined list. It joins to a channel where it
waits for further instructions. By issuing these commands the
attacker has full control over the infected computers.
One of the instructions which can be given to the worm is to
download and execute the Microsoft patch (only the Spanish version)
for the RPC vulnerability.
![](/images/pixel.gif"){kind=tracking}
