The following may be indicative of a Backdoor:Win32/Rbot.FE infection:
-
Presence of the following file in the Windows system folder:
servenxp.exe
Note: The default location of the Windows system folder is C:\Windows\System32 (Windows XP, Vista); C:\Winnt\System32 (Windows NT/2000), C:\Windows\System (Windows 95/98/ME)
-
Presence of the following registry modification:
Value: NDIS Adapter
With data: servenxp.exe
In subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Runonce
-
Open Internet connection with TCP ports 113 and 6667 to external IP addresses
-
Multiple connection attempts with TCP port 445 to random IP addresses