Raleka is a network worm that exploits the same RPC vulnerability as the MSBlast/Lovsan family. The worm contains an IRC-controlled backdoor with a command that downloads the patch from Microsoft and fixes the RPC vulnerability on the infected computer.
Please refer to the Lovsan description for links and instructions on patching vulnerable hosts:
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
The Raleka worm was written in C language and spreads in UPX-packed form. The worm's body weights 41504 bytes when it's unpacked.
When the worm is started it attempts to download three files from predefined web locations from the web:
The registry file contains compatibility settings for the backdoor when running under Windows XP. Since the tool (reg.exe) the worm uses to install the registry file is part of Windows XP only these settings will be applied only on that version.
The downloaded backdoor components are detected as Backdoor.RtKit.11.a by FSAV.
Raleka scans random ranges of IP addresses attempting to exploit the RPC/DCOM vulnerability. It uses 100 parallel threads for scanning which makes it quite aggressive.
When a vulnerable hosts is found the worm creates a file called 'down.com' through the shell the RPC exploit provides. There is a bug in the worm which results in broken 'down.com' if the host is attacked by two Raleka worms at the same time. Even though this does not sound probable, it has been reported from several different places.
The file 'down.com' is a small downloader application wrapped into and ASCII armor using and old DOS utility called NETSEND. When the DOS COM file is executed it drops the decoded Windows executable and runs it.
The worm has a built-in HTTP server. This server is used by the downloader to transfer the worm and the backdoor components. The HTTP server is listening on a random port above 32768. When the downloader is invoked on the remote host it gets the attacker computer's IP address and the random HTPP port number as parameters. Using this information the downloader fetches the necessary files and installs the worm.
The following files are copied using the HTTP server:
As soon as the files are installed the worm runs and starts to scan for vulnerable hosts.
In the end the infection manifests on the computer in the following places:
A service named 'svchost' is created with the description 'Remote_Procedure_Call'.
Raleka has an IRC backdoor component, which will connect to one server from a predefined list. It joins to a channel where it waits for further instructions. By issuing these commands the attacker has full control over the infected computers.
One of the instructions which can be given to the worm is to download and execute the Microsoft patch (only the Spanish version) for the RPC vulnerability.