Virus

W32/RBot!tr.bdr!08

Analysis

  • Creates a mutex named msdss  to ensure that only one instance is executed on the computer.
  • Copies itself to the System folder as ms-dos.pif.
    Autostart Mechanism
  • Adds the following value:
    MS-DOS Security Service = "ms-dos.pif"
    to the following registry subkeys:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ole

    Network Propagation
  • Spreads via weakly protected network shares, weakly protected Microsoft SQL servers and the following vulnerabilities:

    Backdoor/Trojan Behavior
  • Connects to an IRC server to await instructions and commands from a malicious user. These commands can cause the infected machine to perform any of the following actions:
    • Download and execute files
    • Scan for vulnerable computers
    • Send confidential information, such as the user name, passwords, etc., to the remote intruder
    • Start proxy server for HTTP, SOCKS4
    • List and terminate services and processes
    • Initiate distributed denial of service (DDoS) attacks
    • Logs keystrokes

Recommended Action