Home / malware

PDF

Backdoor:Win32/Arwobot.B

First posted on 08 October 2010.
Source: SecurityHome

Aliases :

Backdoor:Win32/Arwobot.B is also known as Win-Trojan/BypassAgent.76800 (AhnLab), W32/Rbot.G.gen!Eldorado (Authentium (Command, W32/Ircbot.gen.7778023 (Norman), Trojan.PWS.Banbra.LJO (VirusBuster), Trojan horse Generic17.AXSD (AVG), BDS/Backdoor.Gen (Avira), Backdoor.SDBot.DGFP (BitDefender), Win32/Arwobot.B (CA), Win32.HLLW.Lime.origin (Dr.Web), Win32/AGbot.O (ESET), Trojan.Win32.Arwobot (Ikarus), Trojan-Banker.Win32.Banbra.vke (Kaspersky), W32/Spybot.worm!dr (McAfee), W32/P2Pworm.MF.worm (Panda), Backdoor.SdBot.xnt (Rising AV), Mal/IRCBot-C (Sophos), Trojan.Win32.Generic!SB.0 (Sunbelt Software), W32.IRCBot (Symantec), WORM_SDBOT.SMX (Trend Micro) more.

Explanation :

Backdoor:Win32/Arwobot.B allows unauthorized access and control on an affected computer.
Top

Backdoor:Win32/Arwobot.B allows unauthorized access and control on an affected computer. Installation Backdoor:Win32/Arwobot.B drops itself as "update10.exe" under the following directory: %ProgramFiles%\common files\system It then executes the dropped file. Backdoor:Win32/Arwobot.B also creates a mutex named "R4G3b0t". The malware modifies the following registry entries to ensure that its copy executes at each Windows start: In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSets value: "Windows Update"With data: "%ProgramFiles%\common files\system\update10.exe" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\ListSets value: "C:\Program Files\Common Files\System\update10.exe"With data: "%ProgramFiles%\common files\system\update10.exe:*:enabled:windows update" Backdoor:Win32/Arwobot.B may copy itself to the following shared drives on an affected computer: %ProgramFiles%\LimeWire\Shared %ProgramFiles%\eDonkey2000\incoming %ProgramFiles%\KAZAA %ProgramFiles%\Morpheus\My Shared Folder\ %ProgramFiles%\BearShare\Shared\ %ProgramFiles%\ICQ\Shared Files\ %ProgramFiles%\Grokster\My Grokster\ \My Downloads\ Payload Connects to remote server Backdoor:Win32/Arwobot.B tries to connect to a remote server at TCP port 6667. In the wild, we have observed the malware attempting to connect to boosted.serveirc.com. Allows backdoor access and control The malware allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Arwobot.B. This could include, but is not limited to the following actions:

Download and execute arbitrary files

Upload files

Terminate processes

Steal sensitive information

Analysis by Jaime Wong

Last update 08 October 2010

 

TOP