Rbot.BIC

RBot represents a large family of backdoors - remote access tools. These tools allow for the contol of a victims' computers from a remote location by sending specific commands via IRC channels. These backdoors can also steal data and spread to computers vulnerable to exploits.

Upon execution, it creates a copy of itself in the Windows folder and run from this location:

• %windir%\system32\glossary.exe

It will terminate certain services and applications such as the system's firewall, security and antivirus applications.

Rbot.BIC further installs itself to run during system startup by modifying the system registry:

• [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] Shell=explorer.exe %windir%\system32\glossary.exe
• [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] Userinit=%windir%\system32\userinit.exe,%windir%\system32\glossary.exe
• [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] Userinit=%windir%\system32\userinit.exe,%windir%\system32\glossary.exe
• [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] RBot v2 with NetAPI exploit traded with billgates I gave my mother Greetz - OG - Bluehell Irc Server=%windir%\system32\glossary.exe

The following IRC server and ports are used by the backdoor:

• forum.ednet.es:4915

The backdoor joins the following password-protected IRC channels:

• ##.sec.##
• ##.sec-cashlog.##
• ##.sec-exp.##
• ##.sec-keyl0g.##

A hacker can send commands to the bots on the IRC channel to control the infected computers. Several tasks can be performed, including the following:

• Start an FTP server
• Perform ping, SYN, ICMP and UDP flood
• Get system information including information about OS, network and drives
• Update the backdoor's file from Internet
• Operate backdoor's bot (nick change, join/part channels, etc.)
• Start remote shell (cmd.exe)
• Download and execute files
• Enumerate remote shares
• Scan and exploit computers vulnerable to exploits
• Steal user information and log keyboard and mouse events
• Send copies using different IM applications
• Visit websites
• Patch system files

When spreading, the bot can exploit the following vulnerabilities:

• ASN.1 (MS04-007) ports 80 and 139
• MS SQL (MS02-056) port 1433
• NetpIsRemote (MSO6-040) port 139
• Real VNC port 5800

RBot.BIC disables Windows Firewall and Windows Update, and terminates active security related applications that contains the following strings in their filenames:

• anti
• blackice
• firewall
• f-pro
• lockdown
• mcafee
• nod32
• norton
• reged
• sniff
• spybot
• troja
• viru
• vsmon
• zonea

It uses the following user accounts:

• administrador
• administrateur
• administrator

- to connect to the target machine's hidden shares:

• Admin$
• ipc$

It also tries to brute force its way into the Administrator Group accounts by using the following list of passwords:

• admin
• root
• asdfgh
• server
• 0
• 00
• 000
• 0000
• 00000
• 000000
• 0000000
• 00000000
• 1
• 12
• 123
• 1234
• 12345
• 123456
• 1234567
• 12345678
• 123456789
• secret
• secure
• security
• setup
• shadow
• shit
• sql
• super
• sys
• system
• abc123
• access
• adm
• alpha
• anon
• anonymous
• backdoor
• backup
• beta
• bin
• coffee
• computer
• crew
• database
• debug
• default
• demo
• free
• go
• guest
• hello
• install
• internet
• login
• mail
• manager
• money
• monitor
• network
• new
• newpass
• nick
• nobody
• nopass
• oracle
• pass
• passwd
• password
• poiuytre
• private
• public
• qwerty
• random
• real
• remote
• ruler
• telnet
• temp
• test
• test1
• test2
• visitor
• windows

Once a target Windows machine has successfully been exploited, it will create and execute a Visual Basic Script (VBS) file remotely to download and execute a copy of this malware.

It also spies on the user by logging mouse and keyboard events when a specific window with the following strings is active:

• bank
• Bank
• eBay
• iKobo
• PayPal
• StormPay
• WorldPay

It accepts the following BOT commands:

• cdsfmd
• cmderstop
• disconsdfnect
• httpxcvdos
• httxcvvpstop
• imsxcvpread
• imsxcvtop
• irtycraw
• kehgjylog
• kfgnlobvnad
• kiltryltrqead
• logsdfout
• lxcoxcvg
• masssxcvcan
• openxcvcmd
• rdsfmd
• recosdnsdfnect
• scacxvnstats
• scacxvnstop
• sccxvan
• scxvyxn
• socbnks4
• socsdfsktop
• synsxcvtop
• threddsads
• twist
• ucxvdp
• udpcxvsctop
• updghjate
• uptidsfme
• vifdgsit
• visyjghit2

RBot.BIC is also able to send itself in Instant Messages with the following details:

• filename: photo_.SCr
• message: <= :D:D