W32/RBot.ADF!worm - Released Feb 22, 2007 - Last Updated Feb 23, 2007
|
Alias/esW32/RBot.ADF!wm, W32/RBot.ADF-net, W32/RBot.ADF-wm |
Detection Availability
|
Visible SymptomsPresence of the following registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Threeder infos = "[RandomFilename].exe" |
Detailed AnalysisThe malware drops a randomly named copy of itself in %SystemDir%.
As a means of its autostart mechanism, the malware applies the following registry modifications:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Threeder infos = "(RandomFilename).exe"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Threeder infos = "(RandomFilename).exe"
- HKEY_CURRENT_USER\Software\Microsoft\OLE
Threeder infos = "(RandomFilename).exe"
The malware's approximate filesize is 100,352 bytes.
The malware has been observed to be capable of the following behavior:
- Retaliation against known Antivirus and related programs.
- Connects to a remote site and the ability to update itself or download components.
- Opens a port on the local host to await for connection from a remote host.
- Spawns a mutex to signify its presence in the infected host's memory, using the string "ScansKT".
- Scans for writeable network drives to drop a copy of itself.
- Applies brute force login to network shares.
- Installs a bot component to enable remote access of the infected host.
- Queries and steals the infected host registry for serial numbers of gaming applications.
|
Recommended Action
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
