F-Secure
Tools
Rbot.BIC
Summary
RBot represents a large family of backdoors - remote access tools. These tools allow for the contol of a victims' computers from a remote location by sending specific commands via IRC channels. These backdoors can also steal data and spread to computers vulnerable to exploits.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Additional Details
RBot represents a large family of backdoors - remote access tools. These tools allow for the contol of a victims' computers from a remote location by sending specific commands via IRC channels. These backdoors can also steal data and spread to computers vulnerable to exploits.
Upon execution, it creates a copy of itself in the Windows folder and run from this location:
It will terminate certain services and applications such as the system's firewall, security and antivirus applications.
Rbot.BIC further installs itself to run during system startup by modifying the system registry:
The following IRC server and ports are used by the backdoor:
The backdoor joins the following password-protected IRC channels:
A hacker can send commands to the bots on the IRC channel to control the infected computers. Several tasks can be performed, including the following:
When spreading, the bot can exploit the following vulnerabilities:
RBot.BIC disables Windows Firewall and Windows Update, and terminates active security related applications that contains the following strings in their filenames:
It uses the following user accounts:
- to connect to the target machine's hidden shares:
It also tries to brute force its way into the Administrator Group accounts by using the following list of passwords:
Once a target Windows machine has successfully been exploited, it will create and execute a Visual Basic Script (VBS) file remotely to download and execute a copy of this malware.
It also spies on the user by logging mouse and keyboard events when a specific window with the following strings is active:
It accepts the following BOT commands:
RBot.BIC is also able to send itself in Instant Messages with the following details:
Upon execution, it creates a copy of itself in the Windows folder and run from this location:
- %windir%\system32\glossary.exe
It will terminate certain services and applications such as the system's firewall, security and antivirus applications.
Rbot.BIC further installs itself to run during system startup by modifying the system registry:
- [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell=explorer.exe %windir%\system32\glossary.exe - [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit=%windir%\system32\userinit.exe,%windir%\system32\glossary.exe - [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit=%windir%\system32\userinit.exe,%windir%\system32\glossary.exe - [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
RBot v2 with NetAPI exploit traded with billgates I gave my mother Greetz - OG - Bluehell Irc Server=%windir%\system32\glossary.exe
The following IRC server and ports are used by the backdoor:
- forum.ednet.es:4915
The backdoor joins the following password-protected IRC channels:
- ##.sec.##
- ##.sec-cashlog.##
- ##.sec-exp.##
- ##.sec-keyl0g.##
A hacker can send commands to the bots on the IRC channel to control the infected computers. Several tasks can be performed, including the following:
- Start an FTP server
- Perform ping, SYN, ICMP and UDP flood
- Get system information including information about OS, network and drives
- Update the backdoor's file from Internet
- Operate backdoor's bot (nick change, join/part channels, etc.)
- Start remote shell (cmd.exe)
- Download and execute files
- Enumerate remote shares
- Scan and exploit computers vulnerable to exploits
- Steal user information and log keyboard and mouse events
- Send copies using different IM applications
- Visit websites
- Patch system files
When spreading, the bot can exploit the following vulnerabilities:
- ASN.1 (MS04-007) ports 80 and 139
- MS SQL (MS02-056) port 1433
- NetpIsRemote (MSO6-040) port 139
- Real VNC port 5800
RBot.BIC disables Windows Firewall and Windows Update, and terminates active security related applications that contains the following strings in their filenames:
- anti
- blackice
- firewall
- f-pro
- lockdown
- mcafee
- nod32
- norton
- reged
- sniff
- spybot
- troja
- viru
- vsmon
- zonea
It uses the following user accounts:
- administrador
- administrateur
- administrator
- to connect to the target machine's hidden shares:
- Admin$
- ipc$
It also tries to brute force its way into the Administrator Group accounts by using the following list of passwords:
- admin
- root
- asdfgh
- server
- 0
- 00
- 000
- 0000
- 00000
- 000000
- 0000000
- 00000000
- 1
- 12
- 123
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- secret
- secure
- security
- setup
- shadow
- shit
- sql
- super
- sys
- system
- abc123
- access
- adm
- alpha
- anon
- anonymous
- backdoor
- backup
- beta
- bin
- coffee
- computer
- crew
- database
- debug
- default
- demo
- free
- go
- guest
- hello
- install
- internet
- login
- manager
- money
- monitor
- network
- new
- newpass
- nick
- nobody
- nopass
- oracle
- pass
- passwd
- password
- poiuytre
- private
- public
- qwerty
- random
- real
- remote
- ruler
- telnet
- temp
- test
- test1
- test2
- visitor
- windows
Once a target Windows machine has successfully been exploited, it will create and execute a Visual Basic Script (VBS) file remotely to download and execute a copy of this malware.
It also spies on the user by logging mouse and keyboard events when a specific window with the following strings is active:
- bank
- Bank
- eBay
- iKobo
- PayPal
- StormPay
- WorldPay
It accepts the following BOT commands:
- cdsfmd
- cmderstop
- disconsdfnect
- httpxcvdos
- httxcvvpstop
- imsxcvpread
- imsxcvtop
- irtycraw
- kehgjylog
- kfgnlobvnad
- kiltryltrqead
- logsdfout
- lxcoxcvg
- masssxcvcan
- openxcvcmd
- rdsfmd
- recosdnsdfnect
- scacxvnstats
- scacxvnstop
- sccxvan
- scxvyxn
- socbnks4
- socsdfsktop
- synsxcvtop
- threddsads
- twist
- ucxvdp
- udpcxvsctop
- updghjate
- uptidsfme
- vifdgsit
- visyjghit2
RBot.BIC is also able to send itself in Instant Messages with the following details:
- filename: photo_.SCr
- message: <= :D:D