Threat behavior
Backdoor:Win32/Rbot.DG is a backdoor Trojan that connects to an IRC server to receive commands from remote attackers. Commands could include instructions to spread to other computers via open network shares or by exploit of a security vulnerability, or to launch a denial of service (DoS) attack against specified targets.
When Backdoor:Win32/Rbot.DG is executed, it performs the following actions:
Copies itself to the Windows system folder as mswin32.exe, setting the file attributes to hidden and read-only.
Runs this copy of itself and deletes the original Trojan file.
Creates a mutual exclusion object (mutex) named "SiL3nTKiLL"
Propagates itself to other computers across a network by:
replicating to network shares
Admin$\system32
c$\winnt\system32
c$\windows\system32
by using a predefined list of weak passwords
exploiting known vulnerabilities
The DCOM RPC vulnerability using TCP port 135, fixed in
MS03-026.
The WebDav vulnerability using TCP port 80, fixed in
MS03-007.
The Workstation service buffer overrun vulnerability using TCP port 445, fixed in
MS 03-049 and
MS03-043.
The Locator service vulnerability using TCP port 445, fixed in
MS03-001. The worm specifically targets Windows 2000 machines using this exploit.
The UPnP vulnerability, fixed in
MS01-059.
The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit using UDP port 1434, fixed in
MS02-061.
replicating itself through known backdoor components of worms and trojans:
Registers itself as a service, so that the worm process continues to run even after the user logs off:
Adds the registry value: Microsoft Update Machine
With value: system.exe
To subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
May modify the following registry subkeys in order to lower security settings on infected systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableDCOM = "n"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = "1"
Terminates a predefined list of security applications, and other viruses and Trojans; Backdoor:Win32/Rbot.DG attempts to eliminate the programs below by deleting specific registry keys, files located in the Windows system folder, and services:
Connects to TCP port 113, and awaits commands from remote attackers
Connects to a remote IRC server and channel using TCP port 6667, and awaits commands from remote attackers
Commands may include the following instructions:
Collect email addresses from IM software (MSN, AOL), default address book.
Execute a shell command
Execute a specified file
List, create, and terminate processes
Act as a proxy server
Act as a network sniffer
Act as a key logger
Download and execute programs from a remote Web site
Conduct DoS attacks against specified targets
Prevention
