OREANDA-NEWS. April 18, 2012. Doctor Web—a Russian anti-virus company—reports an outbreak of the Win32.Rmnet.12 virus that enabled attackers to create a botnet incorporating over million infected computers. Win32.Rmnet.12 infects Windows PCs, performs backdoor tasks and steals passwords stored by popular ftp clients. The passwords may later be used used to mount network attacks and infect websites. Win32.Rmnet.12 processes commands from a remote server which may include bringing down the OS.

First entries related to Win32.Rmnet.12 were added to the Dr.Web virus database in September 2011. From this point on Doctor Web's analysts followed closely the development of this threat. The virus penetrates computers in different ways: via infected flash drives, with  infected executable files, as well as using special scripts embedded into html-documents— they save the virus to the computer when one opens a malicious web page in the browser window. A signature for the VBScript code was added into the Dr.Web virus database as VBS.Rmnet.

Win32.Rmnet.12 is a complex multicomponent virus, consisting of several modules and capable of self-replication. When launched, Win32.Rmnet.12 checks which browser is set as a system default browser (if not detected, the virus targets Microsoft Internet Explorer), and injects its code into the browser process. Then it uses the hard drive serial number to generate its own file name, saves itself into the autorun folder of the current user and assigns the attribute "hidden" to its file. The virus's configuration file is saved into the same folder. Then, the virus uses an embedded routine to determine the name of a control server and tries to connect to it.

One of the virus components is a backdoor. Once launched, it tries to determine the Internet connection speed: it sends requests at google.com, bing.com and yahoo.com at 70 second intervals and analyses responses. Then Win32.Rmnet.12 launches an FTP server on the infected machine, connects to a remote server and transmits information about the infected system to intruders. The backdoor can execute commands received from the remote server, in particular, to download and run arbitrary files, update itself, to take screenshots and send them to criminals, and even render the operating system non-operational.

Another virus component steals passwords stored by most popular FTP-clients, such as Ghisler, WS FTP, CuteFTP, FlashFXP, FileZilla, Bullet Proof FTP and others. This information can later be exploited to carry out network attacks or to place various malicious objects on remote servers. Also, Win32.Rmnet.12 takes care to search through user's cookies, so attackers can gain access to the user's accounts at different sites that require authentication. In addition, the module can block access to specified sites, and redirect the user to a site controlled by virus writers. One of the Win32.Rmnet.12  modifications is also able to make web injections to steal bank account information.

The virus spreads in various ways: by exploiting browser vulnerabilities that enable intruders to save and launch executables upon loading a web-page. The virus searches for all html files stored on disks and embeds VBScript code into them. In addition, Win32.Rmnet.12 infects all executable files with the .exe extension found on the disks and is able to copy itself to removable flash drives. It saves an autorun file and a shortcut to a malignant application into the root folder on a flash drive. This application launches the virus.

The botnet comprised of hosts infected with Win32.Rmnet.12 was discovered by Doctor Web as long ago as in September 2011 when the first virus sample fell into the hands of virus analysts. They soon decrypted names of control servers found in Win32.Rmnet.12 resources. After a while analysts decrypted the protocol used for communication between bots and control servers which enabled them to determine the number of bots and to control them. On February 14, 2012 Doctor Web's virus analysts created a sinkhole, (it was subsequently used to study the BackDoor.Flashback.39 botnet), namely, registered domain names for several servers controlling one of Win32.Rmnet.12 networks and gained full control over the botnet. In late February, another Win32.Rmnet.12 subnet was hijacked this way.

At first, the number of bots was relatively small and reached several hundred thousand, however, the number grew by and by. As of April 15, 2012, the Win32.Rmnet.12 botnet is comprised of 1,400,520 infected hosts and is growing steadily.