Home / malware Backdoor:Win32/Rbot.SF
First posted on 18 May 2009.
Source: SecurityHomeAliases :
Backdoor:Win32/Rbot.SF is also known as Also Known As:Win32/Rbot!generic (CA), Backdoor.Win32.Rbot.dsj (Kaspersky), GenPack:Backdoor.IRCBot.ABXI (BitDefender), Win32/Rbot (ESET), :W32/RxBot.OY.worm (Panda), W32.Spybot.Worm (Symantec).
Explanation :
Backdoor:Win32/Rbot.SF is a backdoor trojan that may connect to a remote attacker to perform actions on the system without the user's knowledge.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
Backdoor:Win32/Rbot.SF is a backdoor trojan that may connect to a remote attacker to perform actions on the system without the user's knowledge.
Installation
Backdoor:Win32/Rbot.SF drops a copy of itself in the Windows system folder using a random file name. A name it has been known to use in some samples is rdxkoo.exe. It then modifies the system registry so that it automatically runs every time Windows starts: Adds value: "Microsoft Update Machine"
With data: "<malware file name>"
To subkeys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
HKCUSoftwareMicrosoftWindowsCurrentVersionRun where <malware file name> is the name used by this malware in the system, for example, rdxkoo.exe.
Payload
Performs Backdoor FunctionalityBackdoor:Win32/Rbot.SF attempts to connect to the remote server irc.zerofuzion.net on TCP port 6667. Once connection is established, it may perform certain commands on the system, such as the following, without the user's knowledge:Upload, download, and execute arbitrary files Log keystrokes Connect to or attack other systems
Analysis by Andrei Florin SaygoLast update 18 May 2009