Win32/Rbot [Threat Name] go to Threat
Win32/Rbot [Threat Variant Name]
| Category | trojan |
| Size | 437289 B |
| Aliases | Backdoor.Win32.Rbot.gi (Kaspersky) |
| Backdoor:Win32/Rbot.gen (Microsoft) | |
| W32.Spybot.Worm (Symantec) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the %system% folder using the following name:
- %variable%.exe
A string with variable content is used instead of %variable% .
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "Windows Layer" = "%system%\%variable%.exe"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
- "Windows Layer" = "%system%\%variable%.exe"
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan connects to the following addresses:
- irc.seslichat5.com
The IRC protocol is used.
It can execute the following operations:
- send the list of disk devices and their type to a remote computer
- download files from a remote computer and/or the Internet
- spread via shared folders and P2P networks
- sending various information about the infected computer
- collect information about the operating system used
- connect to remote computers to a specific port
- stop itself for a certain time period
- obtain the list of shared network folders
- capture webcam video/voice
- capture screenshots
- send files to a remote computer
- retrieve CPU information
- redirect network traffic
- monitor network traffic
- spread via IM networks
- log keystrokes
- terminate running processes
- run executable files
- shut down/restart the computer
- perform port scanning
- open a specific URL address
- perform DoS/DDoS attacks
- update itself to a newer version
- delete folders
- create folders
- move files
- delete cookies
- open ports