Home / malware Backdoor:Win32/Rbot.gen!G
First posted on 21 February 2019.
Source: MicrosoftAliases :
Backdoor:Win32/Rbot.gen!G is also known as Win32/Rbot!generic, Trojan.Rbot.PVT, W32/Sdbot.worm.gen.l, Backdoor:Win32/RBot.
Explanation :
Backdoor:Win32/Rbot.gen!G is a backdoor trojan that allows unauthorized access and control of an affected machine. This malware may also be able to spread in a number of different ways. Typically, the spreading mechanism is started manually by a remote attacker using backdoor functionality. Methods for spreading may include via Messenger applications, via weakly protected network shares, via vulnerability exploit, or via backdoors opened by other malware during previous system compromises. A broad range of functionally similar malware may be detected with this name, hence while specific symptoms (such as filenames and registry modifications) may vary from instance to instance, the behavior of this malware should be fairly consistent. InstallationWhen executed, this malware typically copies itself to the Windows or System directories and modifies one of the following registry entries in order to execute this copy at each system start:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices For example, one variant observed in the wild copies itself toservice.exe and makes the following registry modifications in order to execute this file at each Windows start: Adds value: "Windows Taskmanager"
With data: "service.exe"
To subkeys:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun Note -refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. Some variants may add a Windows system service to attain similar results. Spreads Via… MSN Messenger and/or AIM This malware may be ordered to spread via Messenger or AIM by a remote attacker using the backdoor functionality (see Payload below for additional detail). It can be ordered to send messages with a zipped copy of itself attached, or it can be ordered to send messages that contain URLs pointing to a remotely hosted copy of itself. It sends a message to all of the infected user's contacts. The filename of the ZIP archive, the URL of the remote copy and the messages it sends are variable and may be provided by the remote controller via the IRC backdoor. In the wild, when spreading, these variants have often been observed masquerading as images. Vulnerability ExploitBackdoor:Win32/Rbot.gen!G may be ordered to spread by attempting to exploit a number of different vulnerabilities that affects Windows or other third party software. The list of vulnerabilities that may be targeted in this manner is highly variable. Previous System Compromise This malware may be instructed to spread through backdoor ports opened by Mydoom, Bagle, Optix, Netdevil, and other malicious software families. Network Shares/Weak PasswordsThis malware may spread to remote computers by using a list of weak passwords that it carries with it against accounts that may exist on a targeted machine. Payload Backdoor FunctionalityBackdoor:Win32/Rbot connects to an IRC server and joins a specific channel to receive commands from a remote attacker. For example, one variant attempts to connect to the server 'usb.mtmyza.net' via port 7000. These commands may include the following (amongst others): Scan for vulnerable computers on the network Scan for ports on the network Download and execute arbitrary files Monitor network traffic Launch HTTP/HTTPD, SOCKS4, and TFTP/FTP servers Retrieve computer configuration information Log Perform denial of service (DoS) attacks Spread via one of the methods mentioned above Terminates ProcessesSome variants of this malware may terminate the processes of particular security-related products. Modifies Hosts FileThis malware may modify the Windows Hosts file. The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example). Last update 21 February 2019