Follow:

 

Backdoor:Win32/Rbot.gen


Backdoor:Win32/Rbot.gen is a generic detection for a family of backdoor trojans that allows attackers to control infected computers. After a computer is infected, the trojan connects to a specific IRC server and joins a specific channel to receive commands from attackers. Commands can instruct the trojan to spread to other computers by scanning for network shares with weak passwords, exploiting Windows vulnerabilities, and spreading through backdoor ports opened by other families of malicious software. The trojan can also allow attackers to perform other backdoor functions, such as launching denial of service (DoS) attacks and retrieving system information from infected computers.


What to do now

Manual removal is not recommended for this threat. Use Microsoft Security Essentials or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Threat behavior

Backdoor:Win32/Rbot.gen is a generic detection for a family of backdoor trojans that allows attackers to control infected computers. After a computer is infected, the trojan connects to a specific IRC server and joins a specific channel to receive commands from attackers. Commands can instruct the trojan to spread to other computers by scanning for network shares with weak passwords, exploiting Windows vulnerabilities, and spreading through backdoor ports opened by other families of malicious software. The trojan can also allow attackers to perform other backdoor functions, such as launching denial of service (DoS) attacks and retrieving system information from infected computers.
Installation
When Backdoor:Win32/Rbot.gen runs, it copies itself to %windir% or <system folder>. In many cases, it adds a value to one or more of the following registry keys:
 
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
 
This change causes the trojan to run whenever Windows starts. Some variants also add a Windows system service to attain similar results.
 
Command & Control
Backdoor:Win32/Rbot.gen connects to an IRC server and joins a specific channel to receive commands. Commands can include actions such as:
  • Scanning for unpatched computers on the network.
  • Scanning ports on the network.
  • Downloading and executing remote files.
  • Monitoring network traffic.
  • Launching HTTP/HTTPD, SOCKS4, and TFTP/FTP servers.
  • Enabling or disabling DCOM protocol.
  • Retrieving computer configuration information, including Windows logon information, user account information, open shares, file system information, and network connection information.
  • Logging keystrokes.
  • Retrieving CD keys of games.
  • Capturing screens and Webcam shots.
  • Redirecting TCP traffic.
  • Uploading files through FTP.
  • Sending e-mail.
  • Manipulating processes and services.
  • Conducting denial of service (DoS) attacks.
 
Spreads Via…
Exploit/Network Shares/Previous System Compromise
Upon receiving IRC commands, the trojan can spread to remote computers by exploiting one or more Windows vulnerabilities. Win32/Rbot can spread to remote computers by trying weak passwords that it draws from a list. The trojan may exploit the MS03-026 vulnerability to create a remote shell on the target computer. The trojan uses the remote shell to copy and run itself on a remote computer. The trojan can also be instructed through IRC commands to spread through backdoor ports opened by Mydoom, Bagle, Optix, Netdevil, and other malicious software families.
 
Payload
Modifies System Settings/Uses Advanced Stealth
Some variants of the trojan terminate security-related products. Later variants of the trojan can install a kernel-mode rootkit driver, which hides the trojan process from Task Manager and other process-viewer applications.
 
Due to the exploits used by this trojan, critical system processes can terminate, also resulting in a full system shutdown and restart. This could occur in a continuous cycle until the threat is removed.
 
The following are examples of critical system process termination error message, and system shutdown warning messages:
 
  • Operating system shut down warning dialog box:
  • LSA Shell error report dialog box:
  • Operating system shut down warning message:
 
Analysis by Lena Lin

Symptoms

System Changes
The following system changes may indicate the presence of Backdoor:Win32/Rbot.gen:
  • The most common symptoms that Win32/Rbot is present are system alerts and warning messages, such as the following:

    Operating system shut down warning dialog box:



    LSA Shell error report dialog box:



    Operating system shut down warning message:

 

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.189.2106.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: May 21, 2008
This entry was updated on: May 14, 2010

This threat is also detected as:
  • Win32/IRCBot.worm.variant (AhnLab)
  • IRC/BackDoor.SdBot (AVG)
  • Win32/Rbot (ESET)
  • Backdoor.Win32.Rbot (Kaspersky)
  • W32/Sdbot.worm (McAfee)
  • W32/Spybot (Norman)
  • W32/IRCbot (Panda)
  • W32/Sdbot-Fam (Sophos)
  • Backdoor.IRCBot (Sunbelt Software)
  • W32.Spybot.Worm (Symantec)
  • WORM_RBOT (Trend Micro)