Virus

W32/RBot!tr.bdr!06

Analysis

  • Creates a mutex named rx10B  to ensure that only one instance of the worm is executed on the computer.
  • Copies itself to the System folder as [Random].exe, where [Random] refers to eight lowercase characters.
    Autostart Mechanism
  • Creates the following value:
    AdobeReaderPro = "[Random].exe"
    to the following registry subkeys:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_CURRENT_USER\Software\Microsoft\OLE
    Note: [Random] refers to a random combination of eight lowercase characters.
    Network Propagation
  • Spreads via weakly protected network shares, weakly protected Microsoft SQL servers and the following vulnerabilities:

    Backdoor/Trojan Behavior
  • Modifies the following registry entries:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
      EnableDCOM = "N" (The default value is "Y")
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
      restrictanonymous = dword:1
  • Attempts to terminate processes whose names contain one of the following strings:
    • ACKWIN32.EXE
    • ADAWARE.EXE
    • ADVXDWIN.EXE
    • AGENTSVR.EXE
    • AGENTW.EXE
    • ALERTSVC.EXE
    • ALEVIR.EXE
    • ALOGSERV.EXE
    • AMON9X.EXE
    • ANTI-TROJAN.EXE
    • ANTIVIRUS.EXE
    • ANTS.EXE
    • APIMONITOR.EXE
    • APLICA32.EXE
    • APVXDWIN.EXE
    • ARR.EXE
    • ATCON.EXE
    • ATGUARD.EXE
    • ATRO55EN.EXE
    • ATUPDATER.EXE
    • ATWATCH.EXE
    • AU.EXE
    • AUPDATE.EXE
    • AUTODOWN.EXE
    • AUTO-PROTECT.NAV80TRY.EXE
    • AUTOTRACE.EXE
    • AUTOUPDATE.EXE
    • AVCONSOL.EXE
    • AVE32.EXE
    • AVGCC32.EXE
    • AVGCTRL.EXE
    • AVGNT.EXE
    • AVGSERV.EXE
    • AVGSERV9.EXE
    • AVGUARD.EXE
    • AVGW.EXE
    • AVKPOP.EXE
    • AVKSERV.EXE
    • AVKSERVICE.EXE
    • AVKWCTl9.EXE
    • AVLTMAIN.EXE
    • AVNT.EXE
    • AVP.EXE
    • AVP32.EXE
    • AVPCC.EXE
    • AVPDOS32.EXE
    • AVPM.EXE
    • AVPTC32.EXE
    • AVPUPD.EXE
    • AVSCHED32.EXE
    • AVSYNMGR.EXE
    • AVWINNT.EXE
    • AVWUPD.EXE
    • AVWUPD32.EXE
    • AVWUPSRV.EXE
    • AVXMONITOR9X.EXE
    • AVXMONITORNT.EXE
    • AVXQUAR.EXE
    • BACKWEB.EXE
    • BARGAINS.EXE
    • BD_PROFESSIONAL.EXE
    • BEAGLE.EXE
    • BELT.EXE
    • BIDEF.EXE
    • BIDSERVER.EXE
    • BIPCP.EXE
    • BIPCPEVALSETUP.EXE
    • BISP.EXE
    • BLACKD.EXE
    • BLACKICE.EXE
    • BLSS.EXE
    • BOOTCONF.EXE
    • BOOTWARN.EXE
    • BORG2.EXE
    • BPC.EXE
    • BRASIL.EXE
    • BS120.EXE
    • BUNDLE.EXE
    • BVT.EXE
    • CCAPP.EXE
    • CCEVTMGR.EXE
    • CCPXYSVC.EXE
    • CDP.EXE
    • CFD.EXE
    • CFGWIZ.EXE
    • CFIADMIN.EXE
    • CFIAUDIT.EXE
    • CFINET.EXE
    • CFINET32.EXE
    • CLAW95CF.EXE
    • CLEAN.EXE
    • CLEANER.EXE
    • CLEANER3.EXE
    • CLEANPC.EXE
    • CLICK.EXE
    • CMD.EXE
        :
        :

  • Connects to an IRC server to await instructions and commands from a malicious user. These commands can cause the infected machine to perform any of the following actions:
    • Download and execute files
    • Scan for vulnerable computers
    • Send confidential information, such as the user name, passwords, etc., to the remote intruder
    • Start proxy server for HTTP, SOCKS4
    • List and terminate services and processes
    • Initiate distributed denial of service (DDoS) attacks
    • Logs keystrokes

Recommended Action