W32.Remabl.Worm

Printer Friendly Page

Discovered: October 16, 2003
Updated: October 17, 2003 6:15:43 PM
Systems Affected: Windows

W32.Remabl.Worm is a worm that propagates by copying itself to network shares. It may also contain back door functionality, however, this has not yet been confirmed.

Discovered: October 16, 2003
Updated: October 17, 2003 6:15:43 PM
Systems Affected: Windows

W32.Remabl.Worm is a network worm that propagates by copying itself to certain folders on network shares. When the worm is executed, it creates the following files:
%Windir%\Shambl3r.exe
%Windir%\Sys.exe
%Windir%\Python23.dll
%Windows%\Cnf.bat

Cnf.bat contains instructions to execute Sys.exe, which may allows a remote user to invoke a command shell on the compromised system.

On Windows 95/98/ME systems, the worm adds the following lines to the Win.ini file so that it is launched every time Windows starts:
run=%Windows%\cnf.bat
load=%Widnows%\shambl3r.exe

On Windows NT/2000/XP systems, the worm will create the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"shambl3r"="C:\%Windows%\cnf.bat"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"shambl3r2"="C:\%Windows%\shambl3r.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"shambl3r3"="C:\%Windows%\shambl3r.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"shambl3r4"="C:\%Windows%\shambl3r.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"shambl3r5"="C:\%Windows%\shambl3r.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"shambl3r6"="C:\%Windows%\shambl3r.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"shambl3r7"="C:\%Windows%\shambl3r.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"shambl3r8"="C:\%Windows%\shambl3r.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"shambl3r9"="C:\%Windows%\shambl3r.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"shambl3r10"="C:\%Windows%\shambl3r.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"shambl3r11"="C:\%Windows%\shambl3r.exe"

The worm then scans for other systems in the same network range as the compromised system. It will ping each IP address generated and attempt to connect to one of the following folders:
X:\Documents and Settings\All Users\Men・Inicio\Programas\Inicio
X:\Documents and Settings\All Users\Start Menu\Programs\Startup
X:\Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
X:\Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
X:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
X:\WINNT\Profiles\All Users\Men・Inicio\Programas\Inicio
X:\WINDOWS\Start Menu\Programs\Startup
X:\WINDOWS\Men・Inicio\Programas\inicio
X:\WINDOWS\All Users\Start Menu\Programs\Startup
X:\WINDOWS\All Users\Men・Inicio\Programas\Inicio
X:\Documents and Settings\All Users\Menu Inicio\Programas\Inicio
X:\Documents and Settings\All Users\Menu Inicio\Programas\startup
X:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
X:\Dokumente und einstellungen\all users\Startmen・programme\autostart
X:\Documents and settings\All users\Menu avvio\Programmi\Esecuzione automatica
X:\Documents and Settings\All Users\Menu Iniciar\Programas\startup
X:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicio
X:\WINDOWS\All Users\Startmenue\Programme\Autostart
X:\WINDOWS\Startmenue\Programme\Autostart
X:\Windows\Menu Iniciar\programas\Iniciar
X:\Windows\Menu D駑arrer\Programmes\D駑arrage
X:\Windows\Startmen・Programme\Autostart
X:\Windows\menu avvio\programmi\esecuzione automatica
X:\Documents and settings\All users\Start-meny\Program\Autostart
%s\Start Menu\Programs\Startup
%s\Men・Inicio\Programas\inicio
%s\All Users\Start Menu\Programs\Startup
%s\All Users\Men・Inicio\Programas\Inicio
%s\Profiles\All Users\Start Menu\Programs\Startup
%s\Profiles\All Users\Men・Inicio\Programas\Inicio

For each of the above folders it locates, the worm will copy the Shambl3r.exe, Sys.exe and Python23.dll files there.