Overview: Zone Labs is monitoring WORM_RBOT based on a small number of infection reports. Despite the fact this worm has not reached high levels of infection rates, it does utilize the name of a Zone Labs executable (vsmon.exe) in order to confuse the computer user.
The Zone Labs vsmon.exe process will never request network access. Any program using this name and requesting network access should be treated with caution and denied network access.
ZoneAlarm Antivirus and ZoneAlarm Internet Security Suite identify and remove this worm. Within these products, the worm is identified as Win32.Rbot.GE.
Zone Labs has released this document to provide information regarding this worm and its functions, and to help users distinguish the malicious executable from the legitimate executable.
Based on the low infection rates, WORM_RBOT has been classified "Medium Risk."
Date Published: July 28, 2004
Date Last Revised: July 28, 2004
Impact: WORM_RBOT attempts to compromise system integrity in several ways:
- Shutting down antivirus and firewall software
- Acting as a backdoor on an infected system
- Spreading via network shares
- Spreading via a buffer overflow in Microsoft RPC
- Enabling denial of service attacks
Description: Upon execution, the worm creates a new file with the following name:
NOTE: The legitimate location for this executable is:
- %windows%\system32\Zone Labs\vsmon.exe
It then creates one of the following registry keys on the infected host:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Alarm = "vsmon.exe"
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Alarm = "vsmon.exe"
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Zone Alarm = "vsmon.exe"
NOTE: The legitimate key for Zone Labs products is:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
The worm also attempts to connect to an IRC server on a TCP port:
Zone Labs Products
ZoneAlarm® security products
Program Control will alert the computer user if malicious code attempts to access the network. The Automatic Program Configuration feature included with ZoneAlarm Pro and ZoneAlarm Internet Security Suite will automatically configure programs with the proper network permissions. Users should consider upgrading to ZoneAlarm Pro or ZoneAlarm Internet Security Suite to obtain this enhanced protection.
Computer users will receive a "New Program alert" if this virus infects their system and attempts to open a TCP port. When prompted, Zone Labs users can select "No" to deny this application Internet access.
Zone Labs products do not require the user to allow vsmon.exe access to the Internet. Therefore, users will not see a New Program alert for the legitimate vsmon.exe process. Any Program alert for this program should be considered malicious:
- Ensure systems are patched with Microsoft patch MS03-026:http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
- Monitor Program Control alerts for processes named: vsmon.exe
- Do not allow any vsmon.exe process Internet access outbound on port: 6667/TCP
- Update antivirus products to provide the most up-to-date protection
Contact: Zone Labs customers who are concerned about information contained in this advisory or have additional technical questions may reach our Technical Support team at: http://www.zonelabs.com/support/. To report security issues with Zone Labs products contact firstname.lastname@example.org.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Zone Labs and Zone Labs products, are registered trademarks of Zone Labs Incorporated. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Copyright: ©2004 Zone Labs LLC
All rights reserved. Zone Labs, TrueVector, ZoneAlarm, and Cooperative
Enforcement are registered trademarks of Zone Labs LLC The Zone
Labs logo, Check Point Integrity and IMsecure are trademarks of Zone
Labs, Inc. Check Point Integrity protected under U.S. Patent No. 5,987,611.
Reg. U.S. Pat. & TM Off. Cooperative Enforcement is a service
mark of Zone Labs LLC All other trademarks are the property of
their respective owners.
Permission to redistribute this alert electronically is granted
as long as it is not edited in any way unless authorized by Zone
Labs. Reprinting the whole or part of this alert in any medium other
than electronically requires permission from Zone Labs.