Threat behavior
Backdoor:Win32/Rbot.DB is a backdoor Trojan that connects to an IRC server to receive commands from remote attackers. Commands could include instructions to spread to other computers via open network shares or by exploit of a security vulnerability, or to launch a denial of service (DoS) attack against specified targets.
When Backdoor:Win32/Rbot.DB is executed, it performs the following actions:
Copies itself to the Windows system folder as secure.exe, setting the file attributes to hidden and read-only.
Runs this copy of itself and deletes the original Trojan file
Creates a mutual exclusion object (mutex) named "HaRRoBot"
Modifies the registry to load this copy of itself when Windows is started:
Adds value: Security Patch
With data: secure.exe
To subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\OLE
Connects to a remote IRC server and channel using TCP port 8080, and awaits commands from remote attackers
Connects to TCP port 113, and awaits commands from remote attackers
Commands may include the following instructions:
Spread to other computers by exploiting weak username/password combinations on accessible network shares
Attempt to exploit various security vulnerabilities in order to spread to other computers
Redirect network traffic
Download and execute programs from a remote Web site
Modify or terminate processes or services
Conduct DoS attacks against specified targets
Prevention
