Backdoor:Win32/Rbot.NC is a backdoor Trojan that allows the infected computer to be remotely controlled via its connection to a specific IRC server.
Upon execution, Backdoor:Win32/Rbot.NC takes the following actions:
- Copies itself to the Windows system folder as csrrs.exe (this could cause the file to be confused with the legitimate Windows system file "csrss.exe")
- Loads this copy of itself each time Windows is started by adding a reference to this file in the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Micorosft\CurrentVersion\RunServices
- Connects to a pre-defined IRC server, joins a specified IRC channel, and awaits commands. These commands may include instructions to download or upload files, execute files, query system information, etc.
Backdoor:Win32/Rbot.NC also attempts to infect computers in the local area network (LAN) by brute-forcing administrator login passwords. It tries to connect to the following default administrative shares:
IPC$
ADMIN$
C$
D$
Backdoor:Win32/Rbot.NC uses the following list of passwords in an attempt to gain access to these shares:
administrator
administrador
administrateur
administrat
admins
admin
adm
password1
password
passwd
pass1234
pass
pwd
007
1
12
123
1234
12345
123456
1234567
12345678
123456789
1234567890
2000
2001
2002
2003
2004
test
guest
none
demo
unix
linux
changeme
default
system
server
root
null
qwerty
mail
outlook
web
www
internet
accounts
accounting
home
homeuser
user
oem
oemuser
oeminstall
windows
win98
win2k
winxp
winnt
win2000
qaz
asd
zxc
qwe
bob
jen
joe
fred
bill
mike
john
peter
luke
sam
sue
susan
peter
brian
lee
neil
ian
chris
eric
george
kate
bob
katei
mary
login
loginpass
technical
backup
exchange
fuck
bitch
slut
sex
god
hell
hello
domain
domainpass
domainpassword
database
access
dbpass
dbpassword
databasepass
data
databasepassword
db1
db2
db1234
sa
sql
sqlpassoainstall
orainstall
oracle
ibm
cisco
dell
compaq
siemens
hp
nokia
xp
control
office
blank
winpass
main
lan
internet
intranet
student
teacher
staff
Backdoor:Win32/Rbot.NC tries to steal CD serial keys for popular games such as:
Neverwinter Nights
Soldier of Fortune II - Double Helix
Hidden & Dangerous 2
Chrome
NOX
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Rainbow Six III RavenShield
Nascar Racing 2003
Nascar Racing 2002
NHL 2003
NHL 2002
FIFA 2003
FIFA 2002
Shogun: Total War: Warlord Edition
Need For Speed: Underground
Need For Speed Hot Pursuit 2
Medal of Honor: Allied Assault: Spearhead
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault
Global Operations
Command and Conquer: Generals
James Bond 007: Nightfire
Command and Conquer: Generals (Zero Hour)
Black and White
Battlefield Vietnam
Battlefield 1942 (Secret Weapons of WWII)
Battlefield 1942 (Road To Rome)
Battlefield 1942
Freedom Force
IGI 2: Covert Strike
Unreal Tournament 2004
Unreal Tournament 2003
Microsoft Windows Product ID
Soldiers Of Anarchy
Legends of Might and Magic
Industry Giant 2
Half-Life
Gunman Chronicles
The Gladiators
Counter-Strike (Retail)
