Threat behavior
Backdoor:Win32/Rbot!727A is a backdoor Trojan that runs in the background, gathers software installation and computer configuration details, and connects to an IRC server to receive commands from remote attackers. Commands could include instructions to spread to other computers via open network shares or by exploit of a security vulnerability, or to launch a denial of service (DoS) attack against specified targets.
When Backdoor:Win32/Rbot!727A is executed, it performs the following actions:
Copies itself to the Windows system folder as winupdate1.exe, setting the file attributes to hidden and read-only.
Runs this copy of itself and deletes the original Trojan file
Propagates itself to other computers across a network by:
- Registers itself as a service, so that the worm process continues to run even after the user logs off:
Adds value: WindowsRegKey update1
With data: winupdate1.exe
To subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Removes the following shares on the infected computer:
'C$', 'ADMIN$', 'D$', 'IPC$'
Adds an entry in the list of authorized applications, stored in the registry, to bypass Windows firewall restrictions
Collect application serial numbers or CD keys for any of the following programs, which may reside in various folders:
Neverwinter Nights (Hordes of the Underdark)
Software\BioWare\NWN\Neverwinter
Soldier of Fortune II - Double Helix
Software\Activision\Soldier of Fortune II - Double Helix
Software\Illusion Softworks\Hidden & Dangerous 2
Software\Techland\Chrome
Software\Westwood\NOX
Software\Westwood\Red Alert
Software\Westwood\Tiberian Sun
Software\Red Storm Entertainment\RAVENSHIELD
Software\Electronic Arts\EA Sports\Nascar Racing 2003\ergc
Software\Electronic Arts\EA Sports\NHL 2003\ergc
Software\Electronic Arts\EA Sports\NHL 2002\ergc
Software\Electronic Arts\EA Sports\FIFA 2003\ergc
Software\Electronic Arts\EA Sports\FIFA 2002\ergc
Software\Electronic Arts\EA GAMES\Shogun Total War - Warlord Edition\ergc
Software\Electronic Arts\EA GAMES\Need For Speed Underground\ergc
Software\Electronic Arts\EA GAMES\Need For Speed Hot Pursuit 2
Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault Spearhead\ergc
Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault Breakthrough\ergc
Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault\ergc
Software\Electronic Arts\EA GAMES\Global Operations\ergc
Software\Electronic Arts\EA GAMES\Generals\ergc
Software\Electronic Arts\EA GAMES\James Bond 007 Nightfire\ergc
Software\Electronic Arts\EA GAMES\Command and Conquer Generals Zero Hour\ergc
Software\Electronic Arts\EA GAMES\Black and White\ergc
Software\Electronic Arts\EA GAMES\Battlefield Vietnam\ergc
Software\Electronic Arts\EA GAMES\Battlefield 1942 Secret Weapons of WWII\ergc
Software\Electronic Arts\EA GAMES\Battlefield 1942 The Road to Rome\ergc
Software\Electronic Arts\EA GAMES\Battlefield 1942\ergc
Software\Electronic Arts\EA Distribution\Freedom Force\ergc
Software\IGI 2 Retail
Software\Unreal Technology\Installed Apps\UT2004
Software\Unreal Technology\Installed Apps\UT2003
Software\Silver Style Entertainment\Soldiers Of Anarchy\Settings
Software\3d0\Status
Software\JoWooD\InstalledGames\IG2
Software\Valve\Half-Life\Settings
Software\Valve\Gunman\Settings
Software\Eugen Systems\The Gladiators
Software\Valve\CounterStrike\Settings
Functions as a keylogger, capturing logon credentials and key presses
Connects to TCP port 2268 and awaits commands from remote attackers - TCP port 2268 is primarily used for Automatic Multicast Tunneling (AMT) communication
- Connects to TCP port 113, similar to Internet relay chat (IRC) clients, for the purpose of IRC server authentication
- Connects to a remote IRC server and channel, and awaits commands from remote attackers
Commands may include the following instructions:
- Search for files
Send process list, network configuration and system information or clipboard data
Initiate a remote shell
Terminate threads
Send, receive or execute files
Capture a screen image
Perform a DNS look-up
Removing itself from the infected machine
Conduct DoS attacks against specified targets
Prevention
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Click Change Windows Firewall Settings.
Select On.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click System.
Click Automatic Updates.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
