W32/RBot!tr.bdr - Released Aug 16, 2005 - Last Updated Aug 31, 2006
|
Alias/esBackdoor.Win32.Rbot.aju, W32.Spybot.Worm, W32/RBot-bdr, WORM_RBOT.CCE |
Detection Availability
|
| 2003-0533 |
Visible Symptoms
- The file win14.exe exists in the System folder.
|
Detailed Analysis
- Creates a mutex named [Artcell] to ensure that only one instance is executed on the computer.
- Copies itself to the System folder as win14.exe.
Autostart Mechanism
- Adds the following value:
Win Microsoft 98 = "win14.exe"
to the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ole
Network Propagation
- Spreads via weakly protected network shares, weakly protected Microsoft SQL servers and the following vulnerabilities:
Backdoor/Trojan Behavior
- Modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableDCOM = "N" (The default value is "Y")
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = dword:1
- Attempts to terminate processes whose names contain one of the following strings:
- ACKWIN32.EXE
- ADAWARE.EXE
- ADVXDWIN.EXE
- AGENTSVR.EXE
- AGENTW.EXE
- ALERTSVC.EXE
- ALEVIR.EXE
- ALOGSERV.EXE
- AMON9X.EXE
- ANTI-TROJAN.EXE
- ANTIVIRUS.EXE
- ANTS.EXE
- APIMONITOR.EXE
- APLICA32.EXE
- APVXDWIN.EXE
- ARR.EXE
- ATCON.EXE
- ATGUARD.EXE
- ATRO55EN.EXE
- ATUPDATER.EXE
- ATWATCH.EXE
- AU.EXE
- AUPDATE.EXE
- AUTODOWN.EXE
- AUTO-PROTECT.NAV80TRY.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- AVCONSOL.EXE
- AVE32.EXE
- AVGCC32.EXE
- AVGCTRL.EXE
- AVGNT.EXE
- AVGSERV.EXE
- AVGSERV9.EXE
- AVGUARD.EXE
- AVGW.EXE
- AVKPOP.EXE
- AVKSERV.EXE
- AVKSERVICE.EXE
- AVKWCTl9.EXE
- AVLTMAIN.EXE
- AVNT.EXE
- AVP.EXE
- AVP32.EXE
- AVPCC.EXE
- AVPDOS32.EXE
- AVPM.EXE
- AVPTC32.EXE
- AVPUPD.EXE
- AVSCHED32.EXE
- AVSYNMGR.EXE
- AVWINNT.EXE
- AVWUPD.EXE
- AVWUPD32.EXE
- AVWUPSRV.EXE
- AVXMONITOR9X.EXE
- AVXMONITORNT.EXE
- AVXQUAR.EXE
- BACKWEB.EXE
- BARGAINS.EXE
- BD_PROFESSIONAL.EXE
- BEAGLE.EXE
- BELT.EXE
- BIDEF.EXE
- BIDSERVER.EXE
- BIPCP.EXE
- BIPCPEVALSETUP.EXE
- BISP.EXE
- BLACKD.EXE
- BLACKICE.EXE
- BLSS.EXE
- BOOTCONF.EXE
- BOOTWARN.EXE
- BORG2.EXE
- BPC.EXE
- BRASIL.EXE
- BS120.EXE
- BUNDLE.EXE
- BVT.EXE
- CCAPP.EXE
- CCEVTMGR.EXE
- CCPXYSVC.EXE
- CDP.EXE
- CFD.EXE
- CFGWIZ.EXE
- CFIADMIN.EXE
- CFIAUDIT.EXE
- CFINET.EXE
- CFINET32.EXE
- CLAW95CF.EXE
- CLEAN.EXE
- CLEANER.EXE
- CLEANER3.EXE
- CLEANPC.EXE
- CLICK.EXE
- CMD.EXE
:
:
- Connects to an IRC server to await instructions and commands from a malicious user. These commands can cause the infected machine to perform any of the following actions:
- Download and execute files
- Scan for vulnerable computers
- Send confidential information, such as the user name, passwords, etc., to the remote intruder
- Start proxy server for HTTP, SOCKS4
- List and terminate services and processes
- Initiate distributed denial of service (DDoS) attacks
- Logs keystrokes
|
Recommended Action
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Patch
- Download and install the following patches:
|
