CNET Security Center: Your complete source of antivirus and Internet security information.

QUICK FACTS

Name: Rinbot, also known as Nirbot (McAfee), Delbot (Sophos), and Vanbot (Trend Micro).

Date first reported: 04/17/07

CME Number: NA

Software vulnerable: Microsoft Windows

What it does: Uses infected computers to locate and exploit vulnerabilities in Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2.

Recommendations: None

Exploit code available: Yes

Vendor patch available: No

Antivirus vendor McAfee says this version of Rinbot, when executed, adds the following files to an infected system:

mozila.exe (W32/Nirbot.worm!RpcDns)
mdnex.exe (W32/Nirbot.worm!83E1220A)

These files, in turn, open and contact a botnet command and control channel at the following IRC server(s) on TCP port 8080:

(blocked).rofflewaffles.us
(blocked).anti-viral.us
(blocked).wayne.brady.gonna.have.to.chokeabitch.us

Rinbot also contacts the following URL(s) for further downloads:

hxxp://209.97.218.21/(blocked)/mdnex.exe
hxxp://209.97.218.21/(blocked)/mozila.exe
hxxp://www.tgi(blocked).com/radi.exe

McAfee says Rinbot uses the following commands to acquire information of RPC enabled hosts:

.scan.stop -s;.scan.start DNS 25 -s;
.scan.start DNS 25 -a -s;
.scan.start DNS x.x.x.x 25 -s;

Additional Resources:

Microsoft: Advisory 934864 on the RPC DNS server flaw

NIST: CVE-2007-1748

CNET News.com: Cybercrooks exploiting new Windows DNS flaw

McAfee: W32/Nirbot.worm!83E1220A

Sophos: Delbot

Symantec: W32.Rinbot.BC

Trend Micro WORM_VANBOT.GC