April 18, 2012
First entries related to Win32.Rmnet.12 were added to the Dr.Web virus database in September 2011. From this point on Doctor Web's analysts followed closely the development of this threat. The virus penetrates computers in different ways: via infected flash drives, with infected executable files, as well as using special scripts embedded into html-documents— they save the virus to the computer when one opens a malicious web page in the browser window. A signature for the VBScript code was added into the Dr.Web virus database as VBS.Rmnet.
Win32.Rmnet.12 is a complex multicomponent virus, consisting of several modules and capable of self-replication. When launched, Win32.Rmnet.12 checks which browser is set as a system default browser (if not detected, the virus targets Microsoft Internet Explorer), and injects its code into the browser process. Then it uses the hard drive serial number to generate its own file name, saves itself into the autorun folder of the current user and assigns the attribute "hidden" to its file. The virus's configuration file is saved into the same folder. Then, the virus uses an embedded routine to determine the name of a control server and tries to connect to it.
One of the virus components is a backdoor. Once launched, it tries to determine the Internet connection speed: it sends requests at google.com, bing.com and yahoo.com at 70 second intervals and analyses responses. Then Win32.Rmnet.12 launches an FTP server on the infected machine, connects to a remote server and transmits information about the infected system to intruders. The backdoor can execute commands received from the remote server, in particular, to download and run arbitrary files, update itself, to take screenshots and send them to criminals, and even render the operating system non-operational.
Another virus component steals passwords stored by most popular FTP-clients, such as Ghisler, WS FTP, CuteFTP, FlashFXP, FileZilla, Bullet Proof FTP and others. This information can later be exploited to carry out network attacks or to place various malicious objects on remote servers. Also, Win32.Rmnet.12 takes care to search through user's cookies, so attackers can gain access to the user's accounts at different sites that require authentication. In addition, the module can block access to specified sites, and redirect the user to a site controlled by virus writers. One of the Win32.Rmnet.12 modifications is also able to make web injections to steal bank account information.
The virus spreads in various ways: by exploiting browser vulnerabilities that enable intruders to save and launch executables upon loading a web-page. The virus searches for all html files stored on disks and embeds VBScript code into them. In addition, Win32.Rmnet.12 infects all executable files with the .exe extension found on the disks and is able to copy itself to removable flash drives. It saves an autorun file and a shortcut to a malignant application into the root folder on a flash drive. This application launches the virus.
The botnet comprised of hosts infected with Win32.Rmnet.12 was discovered by Doctor Web as long ago as in September 2011 when the first virus sample fell into the hands of virus analysts. They soon decrypted names of control servers found in Win32.Rmnet.12 resources. After a while analysts decrypted the protocol used for communication between bots and control servers which enabled them to determine the number of bots and to control them. On February 14, 2012 Doctor Web's virus analysts created a sinkhole, (it was subsequently used to study the BackDoor.Flashback.39 botnet), namely, registered domain names for several servers controlling one of Win32.Rmnet.12 networks and gained full control over the botnet. In late February, another Win32.Rmnet.12 subnet was hijacked this way.
At first, the number of bots was relatively small and reached several hundred thousand, however, the number grew by and by. As of April 15, 2012, the Win32.Rmnet.12 botnet is comprised of 1,400,520 infected hosts and is growing steadily.
The network growth progress is presented on the graph below.
The greatest number of infected PCs is located in Indonesia - 320,014 infected machines, or 27.12%. Bangladesh rates second with 166,172 infected hosts which constitue 14.08% of the botnet size. The third rank is taken by Vietnam (154,415 bots, or 13.08%), followed by India (83,254 bots, or 7.05%), Pakistan (46,802 bots, or 3.9%), Russia (43 153 infected machines, or 3.6%), Egypt (33,261 hosts, or 2.8%), Nigeria (27,877 bots, or 2.3%), Nepal (27,705 bots, or 2.3%) and Iran ( 23,742 bots, or 2.0%). A sufficiently large number of compromised hosts is found in the Republic of Kazakhstan (19 773 cases of infection, or 1.67%) and the Republic of Belarus (14,196 bots, or 1.2%). 12 481 compromised hosts or 1.05 of the total number of bots are located in the Ukraine. A relatively small number of infected computers reside in the U.S. – 4327 machines, which corresponds to 0.36%. The smallest numbers are found in Canada (250 computers, or 0.02% of the network's bulk) and Australia (only 46 computers). One infected computer has been found in Albania, Denmark, and Tajikistan each.
Win32.Rmnet.12 botnet geography is shown below.
It should be noted that Doctor Web has full control over the Win32.Rmnet.12 viral network, so attackers can no longer access it and harm infected computers. To prevent Win32.Rmnet.12 from infecting the system, Doctor Web recommends you to use state-of-the-art anti-virus software and keep its virus definitions up to date. If your system has already been compromised by the virus Win32.Rmnet.12, you can use the utility Dr.Web CureIt! or Dr.Web LiveCD to remove it.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.