Threat behavior
Backdoor:Win32/Rbot.AV is a backdoor Trojan that connects to an IRC server to receive commands from remote attackers. Commands could include instructions to spread to other computers via open network shares or by exploit of a security vulnerability, or to launch a denial of service (DoS) attack against specified targets.
When Backdoor:Win32/Rbot.AV is executed, it performs the following actions:
Copies itself to the Windows system folder as wmplayer.exe, setting the file attributes to hidden and read-only
Runs this copy of itself and deletes the original Trojan file.
Modifies the registry to load this copy of itself when Windows is started:
Adds value: Media Player
With data: wmplayer.exe
To subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE
Connects to a remote IRC server and channel using TCP port 65535, and awaits commands from remote attackers
Commands may include the following instructions:
Spread to other computers by exploiting weak username/password combinations on accessible network shares
Attempt to exploit various security vulnerabilities in order to spread to other computers
Redirect network traffic
Download and execute programs from a remote Web or ftp site
Modify or terminate processes or services
Conduct DoS attacks against specified targets
Retrieve system information, CD keys for games, and user keystrokes
Establish an HTTP proxy
Prevention
