Threat behavior
Backdoor:Win32/Rbot!9665 is a backdoor Trojan that connects to an IRC server to receive commands from remote attackers. Commands could include instructions to spread to other computers via open network shares or by exploit of a security vulnerability, or to launch a denial of service (DoS) attack against specified targets.
When Backdoor:Win32/Rbot!9665 is executed, it performs the following actions:
Copies itself to the Windows system folder as nese.exe, setting the file attributes to hidden and read-only.
Runs this copy of itself and deletes the original Trojan file
Modifies the registry to load this copy of itself when Windows is started:
Adds value: MSDN
With data: nese.exe
To subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\OLE
Connects to a remote IRC server and channel using TCP port 8080, and awaits commands from remote attackers
Connects to TCP port 113, and awaits commands from remote attackers
Commands may include the following instructions:
Spread to other computers by exploiting weak username/password combinations on accessible network shares
Attempt to exploit various security vulnerabilities in order to spread to other computers
Redirect network traffic
Download and execute programs from a remote Web site
Modify or terminate processes or services
Conduct DoS attacks against specified targets
Backdoor:Win32/Rbot!9665 may be detected as Backdoor:Win32/Rbot.DD.
Prevention
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Click Change Windows Firewall Settings.
Select On.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click System.
Click Automatic Updates.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
