Backdoor:Win32/Rbot.KQ is a member of
Win32/Rbot - a large family of IRC-controlled backdoors that allow unauthorized access and control of an affected computer. Using this backdoor, an attacker can perform a large number of different actions on an affected computer, including downloading and executing arbitrary files, stealing sensitive information and spreading to other computers using various methods.
Installation
When executed, Backdoor:Win32/Rbot.KQ copies itself to <system folder>\win32db.exe.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "NTSF MICROSOFT SYSTEM"
With data: "win32db.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "NTSF MICROSOFT SYSTEM"
With data: "win32db.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run
Spreads via…
Variants of the Win32/Rbot family may use a number of different methods in order to spread to other computers.
Windows Live Messenger and/or AIM Rbot may be ordered to spread via Messenger or AIM by a remote attacker using the backdoor functionality (see Payload section below for additional details). It can be ordered to send messages with a zipped copy of itself attached, or it can be ordered to send messages that contain URLs pointing to a remotely hosted copy of itself. It sends a message to all of the infected user's contacts.
The file name of the ZIP archive, the URL of the remote copy and the messages it sends are variable and may be provided by the remote controller via the IRC backdoor. In the wild, when spreading, these variants have often been observed masquerading as images.
Vulnerability exploit Win32/Rbot may be ordered to spread by attempting to exploit a number of different vulnerabilities that affects Windows or other third party software. The list of vulnerabilities that may be targeted in this manner is highly variable.
Previous system compromise Win32/Rbot may be instructed to spread through backdoor ports opened by Mydoom, Bagle, Optix, Netdevil, and other malicious software families.
Network shares/weak passwords Win32/Rbot may spread to remote computers by using a list of weak passwords that it carries with it against accounts that may exist on a targeted computer.
Payload
Modifies system settings
Backdoor:Win32/Rbot.KQ modifies the affected computer system's settings by making the following changes to the registry:
- The malware stops or blocks all DCOM (Distributed Component Object Model) traffic, so that the affected computer is unable to contact DCOM servers, and remote clients are unable to launch servers or connect to objects on that affected computer. It does this by making the following registry modification:
Adds value: "EnableDCOM"
With data: "n"
To subkey: HKLM\SOFTWARE\Microsoft\Ole
Note: This modification may be made to stop the affected computer from being further compromised by a different attacker.
Allows backdoor access and control
The malware attempts to connect to an IRC server at adv.41hosting.com via TCP port 6667, join a channel and wait for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer, including the following:
- Download and execute arbitrary files
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
This malware description was produced and published using our automated analysis system's examination of file SHA1 afad9f499f2d2101312a1787d4ce5567535394bd.
