Win32/Rbot [Threat Name] go to Threat

Win32/Rbot [Threat Variant Name]

Category trojan
Size 437289 B
Aliases Backdoor.Win32.Rbot.gi (Kaspersky)
  Backdoor:Win32/Rbot.gen (Microsoft)
  W32.Spybot.Worm (Symantec)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the %system% folder using the following name:

  • %variable%.exe

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Layer" = "%system%\­%variable%.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­RunServices]
    • "Windows Layer" = "%system%\­%variable%.exe"
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan connects to the following addresses:

  • irc.seslichat5.com

The IRC protocol is used.


It can execute the following operations:

  • send the list of disk devices and their type to a remote computer
  • download files from a remote computer and/or the Internet
  • spread via shared folders and P2P networks
  • sending various information about the infected computer
  • collect information about the operating system used
  • connect to remote computers to a specific port
  • stop itself for a certain time period
  • obtain the list of shared network folders
  • capture webcam video/voice
  • capture screenshots
  • send files to a remote computer
  • retrieve CPU information
  • redirect network traffic
  • monitor network traffic
  • spread via IM networks
  • log keystrokes
  • terminate running processes
  • run executable files
  • shut down/restart the computer
  • perform port scanning
  • open a specific URL address
  • perform DoS/DDoS attacks
  • update itself to a newer version
  • delete folders
  • create folders
  • move files
  • delete cookies
  • open ports

Please enable Javascript to ensure correct displaying of this content and refresh this page.