Win32/Robobot [Threat Name] go to Threat

Win32/Robobot [Threat Variant Name]

Category trojan
Size 36422 B
Detection created Mar 23, 2005
Detection database version 1438
Aliases Backdoor.Win32.Robobot.ab (Kaspersky)
  Backdoor:Win32/Robobot.T (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan can be used for sending spam.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %homepath%\­Application Data\­Microsoft\­Internet Explorer\­mssecure.exe
  • %windir%\­System\­mssecure.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • ".mssecure" = "%windir%\­System\­mssecure.exe"
    • ".mssecure" = "%homepath%\­Application Data\­Microsoft\­Internet Explorer\­mssecure.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • ".mssecure" = "%windir%\­System\­mssecure.exe"
    • ".mssecure" = "%homepath%\­Application Data\­Microsoft\­Internet Explorer\­mssecure.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%windir%\­System\­mssecure.exe" = "%windir%\­System\­mssecure.exe:*:Enabled:Microsoft Update"
    • "%homepath%\­Application Data\­Microsoft\­Internet Explorer\­mssecure.exe" = "%homepath%\­Application Data\­Microsoft\­Internet Explorer\­mssecure.exe:*:Enabled:Microsoft Update"

The performed data entry creates an exception in the Windows Firewall program.

Other information

The trojan interferes with the operation of some security applications to avoid detection.


The following services are disabled:

  • wscsvc
  • SharedAccess
  • kavsvc
  • SAVScan
  • Symantec Core LC
  • navapsvc
  • wuauserv

The following Registry entry is deleted:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "KAVPersonal50"

The trojan acquires data and commands from a remote computer or the Internet.


The trojan connects to the following addresses:

  • webapi.robobot.org
  • webapi.megabestservices.com

The IRC protocol is used.


The trojan can download and execute a file from the Internet.


The file is stored in the following location:

  • %system%\­application\­%variable%

A string with variable content is used instead of %variable% .


The trojan can be used for sending spam.

Please enable Javascript to ensure correct displaying of this content and refresh this page.