9.exe running as rtvcscan.exe

A computer user in Eastern Europe scans Server on port 5900 and proceeds to do its dirty little virus infection trick. This one uses TFTP to haul in a file called “9.exe” which is then set to execute as “rtvcscan.exe” from the System32 directory. Oddly enough, they stuck the icon from MSN Messenger onto it. There is a legitimate process called “rtvscan.exe” which is part of the Norton Anti Virus suite, I believe that stands for Real Time Virus Scan, so perhaps this one stands for Real Time Viral Connection Scan? It looks pretty out of place on a computer system that hasn’t got any anti-virus running on it. Would it not look out of place on a computer where there already was the rtvscan.exe anyway?

As per usual, as soon as rtvcscan is good and ready, it phones home for instructions on what to do next.

“Home” is a place called dirt.laundrycapital.com translating to 216.196.32.143 at the time of attack. Oddly enough, when pinged:

[bored@thor ~]# ping dirt.laundrycapital.com
PING dirt.laundrycapital.com (192.168.0.189) 56(84) bytes of data.

the address resolves to a local network address. The domain itself doesn’t.

[bored@thor ~]# ping laundrycapital.com
 PING laundrycapital.com (64.226.20.141) 56(84) bytes of data.
64 bytes from 64.226.20.141: icmp_seq=1 ttl=115 time=118 ms

Records reveal that there are 2 nameservers registered (ns.laundrycapital.com [192.168.0.189] and ns2.laundrycapital.com [216.194.32.142], and a mail server (mail.laundrycapital.com, 216.194.32.146)

The laundrycapital itself appears be situated in New York:

network:Class-Name:network
network:ID:NETBLK-METCONNECT.216.194.32.0/20
network:Auth-Area:216.194.32.0/20
network:Network-Name:METCONNECT-216.194.32.0
network:IP-Network:216.194.32.128/26
network:IP-Network-Block:216.194.32.128 - 216.194.32.191
network:Organization:Clean_Rite_Center
network:Street-Address:411 Theodore Frewd Ave
network:City:Rye
network:State:NY
network:Postal-Code:10580
network:Tech-Contact:[email protected]
network:Admin-Contact:ZM116-ARIN
network:Created:20040423
network:Updated:20040423
network:Updated-By:[email protected]

 

laundry

That’s a lot a IP addresses for a launderette which doesn’t even appear to have a website? Googling around a little reveals there was a job opportunity not too long ago, and that they operate “Wash and Learn” or whatever. Perhaps the computer initiative is part of that?

“Feb 13 Area / District Manager Clean Rite Centers, New York’s largest (and growing) chain of super sized Laundromats, is now hiring area managers to operate multiple stores in the 5 boroughs on NY. Clean Rite and its …[more] Relevant Work Experience: 2+ to 5 Years Career Level: Manager (Manager/Supervisor of Staff) Job Type: Employee Job Status: Full Time Salary: From 45,000.00 to 60,000.00 USD per year”

It will all come out in the wash

“It will all come out in the wash… “

Querying whois for laundry info is not very informative. It shows the domain name has been going for a while now, was updated not too long ago, and won’t expire any time soon. Hmm. Good old Network Solutions.

Well, whatever it was meant to be at the beginning, it is now host to a bot server, and Server wants to find out what to do next.

 NICK [00|USA|23|SP0]-2361
 USER cknihj 0 0 :[00|USA|23|SP0]-2361
 :irc.Fr3sh.net NOTICE AUTH :*** Looking up your hostname...
 :irc.Fr3sh.net NOTICE AUTH :*** Checking ident...
 :irc.Fr3sh.net NOTICE AUTH :*** Found your hostname
 :irc.Fr3sh.net NOTICE [00|USA|23|SP0]-2361 :*** If you are having problems connecting due to ping timeouts, please type /quote pong E49E7882 or /raw pong E49E7882 now.
 PING :E49E7882
 PONG :E49E7882
 :irc.Fr3sh.net 001 [00|USA|23|SP0]-2361 :Welcome to the Fr3sh IRC Network [00|USA|23|SP0]-2361![email protected]
 :irc.Fr3sh.net 002 [00|USA|23|SP0]-2361 :Your host is irc.Fr3sh.net, running version Unreal3.2.3
 :irc.Fr3sh.net 003 [00|USA|23|SP0]-2361 :This server was created Fri Oct 21 13:29:18 2005
 :irc.Fr3sh.net 004 [00|USA|23|SP0]-2361 irc.Fr3sh.net Unreal3.2.3 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
 :irc.Fr3sh.net 005 [00|USA|23|SP0]-2361 SAFELIST HCN MAXCHANNELS=5 CHANLIMIT=#:5 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 WALLCHOPS WATCH=128 :are supported by this server
 :irc.Fr3sh.net 005 [00|USA|23|SP0]-2361 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVGCuzNSMTG NETWORK=Fr3sh CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
 :irc.Fr3sh.net 422 [00|USA|23|SP0]-2361 :MOTD File is missing
 :[00|USA|23|SP0]-2361 MODE [00|USA|23|SP0]-2361 :+ixB
 JOIN #mix# 
 :[00|USA|23|SP0]-2361![email protected] JOIN :#mix#
 :irc.Fr3sh.net 332 [00|USA|23|SP0]-2361 #mix# :#all 74 1 0 -a -r
 :irc.Fr3sh.net 333 [00|USA|23|SP0]-2361 #mix# _Mickey_ 1175194720
 :irc.Fr3sh.net 353 [00|USA|23|SP0]-2361 @ #mix# :[00|USA|23|SP0]-2361 
 :irc.Fr3sh.net 366 [00|USA|23|SP0]-2361 #mix# :End of /NAMES list.
 USERHOST [00|USA|23|SP0]-2361
 MODE [00|USA|23|SP0]-2361 +x
 JOIN #mix# 
 USERHOST [00|USA|23|SP0]-2361
 MODE [00|USA|23|SP0]-2361 +x
 JOIN #mix# 
 USERHOST [00|USA|23|SP0]-2361
 MODE [00|USA|23|SP0]-2361 +x
 JOIN #mix# 
 :irc.Fr3sh.net 302 [00|USA|23|SP0]-2361 :[00|USA|23|SP0]-2361=[email protected] 
 :irc.Fr3sh.net NOTICE [00|USA|23|SP0]-2361 :Setting/removing of usermode(s) 'Bixs' has been disabled.
 :irc.Fr3sh.net 302 [00|USA|23|SP0]-2361 :[00|USA|23|SP0]-2361=[email protected] 
 :irc.Fr3sh.net NOTICE [00|USA|23|SP0]-2361 :Setting/removing of usermode(s) 'Bixs' has been disabled.
 :irc.Fr3sh.net 302 [00|USA|23|SP0]-2361 :[00|USA|23|SP0]-2361=[email protected] 
 PRIVMSG #mix# :.8::[...4sym...8]:: Random Scan started at [...15 172.x.x.x ...8]:2967 for 0 minutes with a 1 second delay using 74 threads.
 PRIVMSG #mix# :.8::[...4sym2...8]:: Random Scan started at [...15 172.x.x.x ...8]:2968 for 0 minutes with a 1 second delay using 74 threads.
 PRIVMSG #mix# :.8::[...4vnc...8]:: Random Scan started at [...15 172.x.x.x ...8]:5900 for 0 minutes with a 1 second delay using 74 threads.
 :irc.Fr3sh.net NOTICE [00|USA|23|SP0]-2361 :Setting/removing of usermode(s) 'Bixs' has been disabled.
 :irc.Fr3sh.net 404 [00|USA|23|SP0]-2361 #mix# :You need voice (+v) (#mix#)
 :irc.Fr3sh.net 404 [00|USA|23|SP0]-2361 #mix# :You need voice (+v) (#mix#)
 :irc.Fr3sh.net 404 [00|USA|23|SP0]-2361 #mix# :You need voice (+v) (#mix#)
 PING :irc.Fr3sh.net
 PONG :irc.Fr3sh.net

The order is to scan on port 2967, 2968 and 5900. These are the Symantec anti-virus client which listens for anti-virus server connections, and came delightfully equipped with the opportunity to run malicious code through it, and the ubiquitous VNC port of course.

Mickey is so greedy for results, that the Virtual Team falls over whilst blocking the outgoing packets. I do wonder why these here virus authors cannot be a little more continent with the scan threads. Surely a scan once every other second will do, in which case the owner of the infected host is a lot less likely to be complaining about “the internet being so slow” — the major reason for people to get their systems cleaned up, apparently. In my humble experience anyway. Not a moment’s thought for all the other computers being probed/infected by them. But that’s the way it is.

Rtvcscan.exe doesn’t just scan, it also listens out for connections. Firstly on UDP port 69, which is the TFTP port. This is so that as soon as an infectable computer is found, the malware can be uploaded to it through this protocol. The second listening instance is on TCP 19162. Telnetting to this port gives as output “StnyFtpd 0wns j0″. The user and password seem to be blank. Stny’s ftp daemon surely has been going for quite a bit now, I’ve seen lots of instances of it. Presumably the entire file system of the infected computer can be browsed and downloaded through this, should the bot herders so wish.

Removal consists of stopping the process, deleting it from System32 and getting rid of the three registry entries that get it to run on startup.

Leave a Reply to This Post!

Your email address will not be published. Required fields are marked *

*