Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Rbot.BIC


Aliases:


Rbot.BIC
Rbot.BIC

Malware
Backdoor
W32

Summary

RBot represents a large family of backdoors - remote access tools. These tools allow for the contol of a victims' computers from a remote location by sending specific commands via IRC channels. These backdoors can also steal data and spread to computers vulnerable to exploits.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

RBot represents a large family of backdoors - remote access tools. These tools allow for the contol of a victims' computers from a remote location by sending specific commands via IRC channels. These backdoors can also steal data and spread to computers vulnerable to exploits.

Upon execution, it creates a copy of itself in the Windows folder and run from this location:

  • %windir%\system32\glossary.exe

It will terminate certain services and applications such as the system's firewall, security and antivirus applications.

Rbot.BIC further installs itself to run during system startup by modifying the system registry:

  • [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] Shell=explorer.exe %windir%\system32\glossary.exe
  • [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] Userinit=%windir%\system32\userinit.exe,%windir%\system32\glossary.exe
  • [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] Userinit=%windir%\system32\userinit.exe,%windir%\system32\glossary.exe
  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] RBot v2 with NetAPI exploit traded with billgates I gave my mother Greetz - OG - Bluehell Irc Server=%windir%\system32\glossary.exe

The following IRC server and ports are used by the backdoor:

  • forum.ednet.es:4915

The backdoor joins the following password-protected IRC channels:

  • ##.sec.##
  • ##.sec-cashlog.##
  • ##.sec-exp.##
  • ##.sec-keyl0g.##

A hacker can send commands to the bots on the IRC channel to control the infected computers. Several tasks can be performed, including the following:

  • Start an FTP server
  • Perform ping, SYN, ICMP and UDP flood
  • Get system information including information about OS, network and drives
  • Update the backdoor's file from Internet
  • Operate backdoor's bot (nick change, join/part channels, etc.)
  • Start remote shell (cmd.exe)
  • Download and execute files
  • Enumerate remote shares
  • Scan and exploit computers vulnerable to exploits
  • Steal user information and log keyboard and mouse events
  • Send copies using different IM applications
  • Visit websites
  • Patch system files

When spreading, the bot can exploit the following vulnerabilities:

  • ASN.1 (MS04-007) ports 80 and 139
  • MS SQL (MS02-056) port 1433
  • NetpIsRemote (MSO6-040) port 139
  • Real VNC port 5800

RBot.BIC disables Windows Firewall and Windows Update, and terminates active security related applications that contains the following strings in their filenames:

  • anti
  • blackice
  • firewall
  • f-pro
  • lockdown
  • mcafee
  • nod32
  • norton
  • reged
  • sniff
  • spybot
  • troja
  • viru
  • vsmon
  • zonea

It uses the following user accounts:

  • administrador
  • administrateur
  • administrator

- to connect to the target machine's hidden shares:

  • Admin$
  • ipc$

It also tries to brute force its way into the Administrator Group accounts by using the following list of passwords:

  • admin
  • root
  • asdfgh
  • server
  • 0
  • 00
  • 000
  • 0000
  • 00000
  • 000000
  • 0000000
  • 00000000
  • 1
  • 12
  • 123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • secret
  • secure
  • security
  • setup
  • shadow
  • shit
  • sql
  • super
  • sys
  • system
  • abc123
  • access
  • adm
  • alpha
  • anon
  • anonymous
  • backdoor
  • backup
  • beta
  • bin
  • coffee
  • computer
  • crew
  • database
  • debug
  • default
  • demo
  • free
  • go
  • guest
  • hello
  • install
  • internet
  • login
  • mail
  • manager
  • money
  • monitor
  • network
  • new
  • newpass
  • nick
  • nobody
  • nopass
  • oracle
  • pass
  • passwd
  • password
  • poiuytre
  • private
  • public
  • qwerty
  • random
  • real
  • remote
  • ruler
  • telnet
  • temp
  • test
  • test1
  • test2
  • visitor
  • windows

Once a target Windows machine has successfully been exploited, it will create and execute a Visual Basic Script (VBS) file remotely to download and execute a copy of this malware.

It also spies on the user by logging mouse and keyboard events when a specific window with the following strings is active:

  • bank
  • Bank
  • eBay
  • iKobo
  • PayPal
  • StormPay
  • WorldPay

It accepts the following BOT commands:

  • cdsfmd
  • cmderstop
  • disconsdfnect
  • httpxcvdos
  • httxcvvpstop
  • imsxcvpread
  • imsxcvtop
  • irtycraw
  • kehgjylog
  • kfgnlobvnad
  • kiltryltrqead
  • logsdfout
  • lxcoxcvg
  • masssxcvcan
  • openxcvcmd
  • rdsfmd
  • recosdnsdfnect
  • scacxvnstats
  • scacxvnstop
  • sccxvan
  • scxvyxn
  • socbnks4
  • socsdfsktop
  • synsxcvtop
  • threddsads
  • twist
  • ucxvdp
  • udpcxvsctop
  • updghjate
  • uptidsfme
  • vifdgsit
  • visyjghit2

RBot.BIC is also able to send itself in Instant Messages with the following details:

  • filename: photo_.SCr
  • message: <= :D:D






Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free