Topics
General News Antivirus Reviews Virus Alerts Spyware Anti-Spam Phishing

Featured Product
Antivirus for your email server! Virus & content check mail with 5 virus scanning engines. Free 30 day trial available! Download Free Trial

Antivirus Forums
Forum Index General Topics Antivirus Software Malware Removal Help Security Topics General Security Discussion Spam/Email Topics Firewalls and IDS Patches/Hotfixes/Exploits Web Filtering and Proxies

Quick Resources
About Antisource Malware Threats Triangle Free Virus Scan Virus Map

Popular Articles
VX2 Malware CoolWebSearch Antimalware Mini-Roundup Review of 11 Popular AV NewDotNet

Rbot - ciscv.exe and icp.exe

Thursday, March 31, 2005
Author: Richard S. Westmoreland
Permalink: rbot-ciscv-icp

Virus Alerts

Another unidentified virus! Here we go again.

ciscv.exe is located in the system32 directory, and loaded by the registry Run and RunServices keys, labeled as "AutoVirusProtection". Ciscv is actually the name of a valid windows file. But don't be tricked - the infector exe is 157KB in size.

It then drops the file ICP.exe, which runs a cmd prompt - and amusingly displays a dancing cursor.

The ciscv.exe frantically scans the subnet looking for other machines to infect, and seems to disable (or change permissions to) the $admin share. It also tries to communicate back to the dns name http.pr3d.us over port 5001, using multiple IPs - so far I have seen 220.134.252.176, 221.87.136.42, 219.121.46.42, and 211.143.10.84.

Both these files have been submitted to Symantec for analysis, so hopefully tomorrow's signatures will detect them.

Rbot - ciscv.exe and icp.exe
Authored by: mechBgon on Thursday, March 31, 2005

ePO powers... ACTIVATE!!! :O

Thanks for the heads-up, countermeasures taken. :)
Reply to This

Rbot - ciscv.exe and icp.exe
Authored by: Webmaster on Thursday, March 31, 2005

I used Trend Micro's online scanner, and it detected it as SDBot.BBR. The BBR description doesn't fit what I've seen 100%, but so far the closest information I can get on it.
Reply to This

Rbot - ciscv.exe and icp.exe
Authored by: mechBgon on Thursday, March 31, 2005

Any idea what vector it got in on? Someone open an infected attachment from their personal Web email, maybe? We had something like that the other day, a person opened an infected attachment from her Gmail account (killed on the spot by the antivirus software, thankfully).

I don't know if you can do this in your situation or not, but one tip I saw in a McAfee virus writeup was to add these lines to your log-in scripts:

net share C$ /delete
net share D$ /delete
net share E$ /delete
net share ADMIN$ /delete
net share IPC$ /delete
net share PRINT$ /delete

to completely delete the administrative shares at log-on. Of course, that would be a double-edged sword if there ever was one, and wouldn't protect the system until someone actually logged on (unless the computer runs it at boot-up instead of at logon). Just a thought, I haven't tried it.

Reply to This

Rbot - ciscv.exe and icp.exe
Authored by: Webmaster on Thursday, March 31, 2005

I don't know what it is using to spread. It is attemping to connect to all IPs within the subnet using port 445. And it only successfully infects Windows XP machines (it's either being selective or there is an XP-only exploit).
Reply to This