Threat behavior
Backdoor:Win32/Rbot.DF is a backdoor Trojan that connects to an IRC server to receive commands from remote attackers. Commands could include instructions to spread to other computers via open network shares or by exploit of a security vulnerability, or to launch a denial of service (DoS) attack against specified targets.
When Backdoor:Win32/Rbot.DF is executed, it performs the following actions:
Copies itself to the Windows system folder as mswin32.exe, setting the file attributes to hidden and read-only.
Runs this copy of itself and deletes the original Trojan file.
Creates a mutual exclusion object (mutex) named "M3"
Propagates itself to other computers across a network by:
replicating to network shares
Admin$\system32
c$\winnt\system32
c$\windows\system32
by using a predefined list of weak passwords
exploiting known vulnerabilities
The DCOM RPC vulnerability using TCP port 135, fixed in
MS03-026.
The WebDav vulnerability using TCP port 80, fixed in
MS03-007.
The Workstation service buffer overrun vulnerability using TCP port 445, fixed in
MS 03-049 and
MS03-043.
The Locator service vulnerability using TCP port 445, fixed in
MS03-001. The worm specifically targets Windows 2000 machines using this exploit.
The UPnP vulnerability, fixed in
MS01-059.
The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit using UDP port 1434, fixed in
MS02-061.
replicating itself through known backdoor components of worms and trojans:
Registers itself as a service, so that the worm process continues to run even after the user logs off:
Adds the registry value: Microsoft Update
With value: AntiVirus.exe
To subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKey_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKey_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Terminates a predefined list of security applications, and other viruses and Trojans; Backdoor:Win32/Rbot.DF attempts to eliminate the programs below by deleting specific registry keys, files located in the Windows system folder, and services:
regedit.exe
msconfig.exe
netstat.exe
msblast.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
wincfg32.exetaskmon.exe
PandaAVEngine.exe
sysinfo.exe
mscvb32.exe
MSBLAST.exe
teekids.exe
Penis32.exe
bbeagle.exe
SysMonXP.exe
winupd.exe
winsys.exe
ssate.exe
rate.exe
d3dupdate.exe
irun4.exe
i11r54n4.exe
Connects to TCP port 113, and awaits commands from remote attackers
Connects to a remote IRC server and channel using TCP port 16667, and awaits commands from remote attackers
Commands may include the following instructions:
Collect email addresses from IM software (MSN, AOL), default address book.
- Execute a shell command
- Execute a specified file
List, create, and terminate processes
Act as a proxy server
Act as a network sniffer
Act as a key logger
Download and execute programs from a remote Web site
Conduct DoS attacks against specified targets
Prevention
