Win32/Rbot

Note: August 15, 2005 - A new variant of Backdoor:Win32/Rbot has been discovered that adds the capability of spreading by exploiting Plug-and-Play vulnerability that is fixed in Microsoft Security Bulletin MS05-039.

 

Note: June 7, 2005 - A new variant of Backdoor:Win32/Rbot has been discovered that adds the capability of spreading by exploiting the Windows ASN.1 vulnerability that is fixed in Microsoft Security Bulletin MS04-007.

 

When Win32/Rbot runs, it copies itself to %windir% or <system folder>. In many cases, it adds a value to registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

These changes cause the Trojan to run whenever Windows starts. Some variants can also add a Windows system service to attain similar results.

 

Win32/Rbot can spread to remote computers by trying weak passwords that it draws from a list. The Trojan may also scan for open ports and connect to a specific IRC server and join a specific channel to receive commands, such as IRC commands to exploit various Windows vulnerabilities. For example, it may exploit the MS03-026 vulnerability to create a remote shell on the target computer. The Trojan uses the remote shell to copy itself to the remote computer, and then creates a task to run the copy. The Trojan can also be instructed through IRC commands to spread through backdoor ports opened by Mydoom, Bagle, Optix, Netdevil, and other families of malicious software.

 

Other remote commands may include actions such as:

 

Some variants of Win32/Rbot terminate security-related product processes. Later variants can overwrite the Windows system host file, <system folder>\drivers\etc\hosts, to block access to security-related Web sites. Other variants can install kernel-mode rootkit Virtool/WinNT.FURootkit.A, which hides the Trojan process from Task Manager and other process-viewer applications.