Backdoor:Win32/Rbot.JF is a member of
Win32/Rbot - a large family of IRC-controlled backdoors that allow unauthorized access and control of an affected computer. Using this backdoor, an attacker can perform a large number of different actions on an affected computer, including downloading and executing arbitrary files, stealing sensitive information and spreading to other computers using various methods.
Installation
When executed, Backdoor:Win32/Rbot.JF copies itself to <system folder>\winis.exe.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Spreads via…
Variants of the Win32/Rbot family may use a number of different methods in order to spread to other computers.
Windows Live Messenger and/or AIM Rbot may be ordered to spread via Messenger or AIM by a remote attacker using the backdoor functionality (see Payload section below for additional details). It can be ordered to send messages with a zipped copy of itself attached, or it can be ordered to send messages that contain URLs pointing to a remotely hosted copy of itself. It sends a message to all of the infected user's contacts.
The file name of the ZIP archive, the URL of the remote copy and the messages it sends are variable and may be provided by the remote controller via the IRC backdoor. In the wild, when spreading, these variants have often been observed masquerading as images.
Vulnerability exploit Win32/Rbot may be ordered to spread by attempting to exploit a number of different vulnerabilities that affects Windows or other third party software. The list of vulnerabilities that may be targeted in this manner is highly variable.
Previous system compromise Win32/Rbot may be instructed to spread through backdoor ports opened by Mydoom, Bagle, Optix, Netdevil, and other malicious software families.
Network shares/weak passwords Win32/Rbot may spread to remote computers by using a list of weak passwords that it carries with it against accounts that may exist on a targeted computer.
Payload
Allows backdoor access and control
Backdoor:Win32/Rbot.JF allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Rbot.JF. This could include, but is not limited to, the following actions:
- Download and execute arbitrary files
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
This malware description was produced and published using our automated analysis system's examination of file SHA1 ec871499b2e69a88ccb37900d18533ccdb899c97.
