F-Secure Virus Descriptions : Rbot.xt

 [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "MSDOS Windows Service" = "MSDOS.PIF"

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "MSDOS Windows Service" = "MSDOS.PIF"

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
 "MSDOS Windows Service" = "MSDOS.PIF"

When the backdoor is active, it connects to an IRC server, joins a certain channel and acts as a bot there. The backdoor also starts IDENTD server on port 113.

The following IRC server and ports is used by the backdoor:

 MSDOS.service.security32.com:4564
 MSDOS.service.windows32.com:4654

The backdoor joins the following password-protected IRC channel:

 #zwn#

A hacker can send commands to the bots to control infected computers. Several tasks can be performed, including the following:

 * start FTP server
 * start TFTP server
 * perform ping, SYN, ICMP and UDP flood
 * get system information including information about OS, network and drives
 * update the backdoor's file from Internet
 * operate backdoor's bot (nick change, join/part channels, etc.)
 * start remote shell (cmd.exe)
 * download and execute files
 * enumerate remote shares
 * scan and exploit computers vulnerable to exploits

When spreading, the bot can exploit the following vulnerabilities:

 * RPC DCOM (MS03-026) ports 135, 445
 * WKSSVC (MS03-049) ports 135, 445

The bot also tries to connect to IPC$ share, ports 135, 139 and 445 with administrator account and drop a copy of itself in the following directories:

 Admin$\\system32
 admin$
 c$
 d$

Back to the Top

Detection

F-Secure Anti-Virus detects this malware with the following update:

[FSAV_Database_Version]

Version=2005-08-08_05

Back to the Top

Technical Details: Jarkko Turkulainen, August 9th, 2005;

F-Secure Corporation