#ThreatInfo #Aliases Backdoor.Win32.Rbot.gi (#Kaspersky) Backdoor:Win32/Rbot.gen (#Microsoft) W32.Spybot.Worm (#Symantec) Win32/Rbot (#ESET) #ShortDescription The trojan serves as a #backdoor. It can be controlled remotely. #Installation When executed, the trojan copies itself into the %system% folder using the following name: %variable%.exe ( A string with #variable content is used instead of %variable% ) In order to be executed on every system start, the trojan sets the following #Registry entries: [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun] "Windows Layer" = "%system%%variable%.exe" [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices] "Windows Layer" = "%system%%variable%.exe" #OtherInformation The trojan #acquires data and commands from a remote computer or the Internet. The #trojan connects to the following addresses: irc.seslichat5 ( The #IRC protocol is used ) It can #execute the following operations: # send the list of disk devices and their type to a remote computer # download files from a remote computer and/or the Internet # spread via shared folders and P2P networks # sending various information about the infected computer # collect information about the operating system used # connect to remote computers to a specific port # stop itself for a certain time period # obtain the list of shared network folders # capture webcam video/voice # capture screenshots # send files to a remote computer # retrieve CPU information # redirect network traffic # monitor network traffic # spread via IM networks # log keystrokes # terminate running processes # run executable files # shut down/restart the computer # perform port scanning # open a specific URL address # perform DoS/DDoS attacks # update itself to a newer version # delete folders # create folders # move files # delete cookies # open ports virusradar/en/Win32_Rbot/
Posted on: Wed, 07 Aug 2013 14:49:10 +0000
Trending Topics
Recently Viewed Topics
© 2015