Backdoor:Win32/Rbot.gen!G is a backdoor trojan that allows unauthorized access and control of an affected machine. This malware may also be able to spread in a number of different ways. Typically, the spreading mechanism is started manually by a remote attacker using backdoor functionality. Methods for spreading may include via Messenger applications, via weakly protected network shares, via vulnerability exploit, or via backdoors opened by other malware during previous system compromises.
A broad range of functionally similar malware may be detected with this name, hence while specific symptoms (such as filenames and registry modifications) may vary from instance to instance, the behavior of this malware should be fairly consistent.
Installation
When executed, this malware typically copies itself to the Windows or System directories and modifies one of the following registry entries in order to execute this copy at each system start:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
For example, one variant observed in the wild copies itself to <system folder>\service.exe and makes the following registry modifications in order to execute this file at each Windows start:
Adds value: "Windows Taskmanager"
With data: "service.exe"
To subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Some variants may add a Windows system service to attain similar results.
Spreads Via…
MSN Messenger and/or AIM
This malware may be ordered to spread via Messenger or AIM by a remote attacker using the backdoor functionality (see Payload below for additional detail). It can be ordered to send messages with a zipped copy of itself attached, or it can be ordered to send messages that contain URLs pointing to a remotely hosted copy of itself. It sends a message to all of the infected user's contacts.
The filename of the ZIP archive, the URL of the remote copy and the messages it sends are variable and may be provided by the remote controller via the IRC backdoor. In the wild, when spreading, these variants have often been observed masquerading as images.
Vulnerability Exploit
Backdoor:Win32/Rbot.gen!G may be ordered to spread by attempting to exploit a number of different vulnerabilities that affects Windows or other third party software. The list of vulnerabilities that may be targeted in this manner is highly variable.
Previous System Compromise
This malware may be instructed to spread through backdoor ports opened by Mydoom, Bagle, Optix, Netdevil, and other malicious software families.
Network Shares/Weak Passwords
This malware may spread to remote computers by using a list of weak passwords that it carries with it against accounts that may exist on a targeted machine.
Payload
Backdoor Functionality
Backdoor:Win32/Rbot connects to an IRC server and joins a specific channel to receive commands from a remote attacker. For example, one variant attempts to connect to the server 'usb.mtmyza.net' via port 7000.
These commands may include the following (amongst others):
Scan for vulnerable computers on the network
Scan for ports on the network
Download and execute arbitrary files
Monitor network traffic
Launch HTTP/HTTPD, SOCKS4, and TFTP/FTP servers
Retrieve computer configuration information
Log
Perform denial of service (DoS) attacks
Spread via one of the methods mentioned above
Terminates Processes
Some variants of this malware may terminate the processes of particular security-related products.
Modifies Hosts File
This malware may modify the Windows Hosts file. The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example).
