Threat Descriptions

Rbot.BIC

Classification

Category :

Trojan

Type :

Backdoor

Platform :

W32

Aliases :

Rbot.BIC, Rbot.BIC

Summary

RBot represents a large family of backdoors - remote access tools. These tools allow for the contol of a victims' computers from a remote location by sending specific commands via IRC channels. These backdoors can also steal data and spread to computers vulnerable to exploits.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

RBot represents a large family of backdoors - remote access tools. These tools allow for the contol of a victims' computers from a remote location by sending specific commands via IRC channels. These backdoors can also steal data and spread to computers vulnerable to exploits.

Upon execution, it creates a copy of itself in the Windows folder and run from this location:

  • %windir%\system32\glossary.exe

It will terminate certain services and applications such as the system's firewall, security and antivirus applications.

Rbot.BIC further installs itself to run during system startup by modifying the system registry:

  • [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] Shell=explorer.exe %windir%\system32\glossary.exe
  • [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] Userinit=%windir%\system32\userinit.exe,%windir%\system32\glossary.exe
  • [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] Userinit=%windir%\system32\userinit.exe,%windir%\system32\glossary.exe
  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] RBot v2 with NetAPI exploit traded with billgates I gave my mother Greetz - OG - Bluehell Irc Server=%windir%\system32\glossary.exe

The following IRC server and ports are used by the backdoor:

  • forum.ednet.es:4915

The backdoor joins the following password-protected IRC channels:

  • ##.sec.##
  • ##.sec-cashlog.##
  • ##.sec-exp.##
  • ##.sec-keyl0g.##

A hacker can send commands to the bots on the IRC channel to control the infected computers. Several tasks can be performed, including the following:

  • Start an FTP server
  • Perform ping, SYN, ICMP and UDP flood
  • Get system information including information about OS, network and drives
  • Update the backdoor's file from Internet
  • Operate backdoor's bot (nick change, join/part channels, etc.)
  • Start remote shell (cmd.exe)
  • Download and execute files
  • Enumerate remote shares
  • Scan and exploit computers vulnerable to exploits
  • Steal user information and log keyboard and mouse events
  • Send copies using different IM applications
  • Visit websites
  • Patch system files

When spreading, the bot can exploit the following vulnerabilities:

  • ASN.1 (MS04-007) ports 80 and 139
  • MS SQL (MS02-056) port 1433
  • NetpIsRemote (MSO6-040) port 139
  • Real VNC port 5800

RBot.BIC disables Windows Firewall and Windows Update, and terminates active security related applications that contains the following strings in their filenames:

  • anti
  • blackice
  • firewall
  • f-pro
  • lockdown
  • mcafee
  • nod32
  • norton
  • reged
  • sniff
  • spybot
  • troja
  • viru
  • vsmon
  • zonea

It uses the following user accounts:

  • administrador
  • administrateur
  • administrator

- to connect to the target machine's hidden shares:

  • Admin$
  • ipc$

It also tries to brute force its way into the Administrator Group accounts by using the following list of passwords:

  • admin
  • root
  • asdfgh
  • server
  • 0
  • 00
  • 000
  • 0000
  • 00000
  • 000000
  • 0000000
  • 00000000
  • 1
  • 12
  • 123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • secret
  • secure
  • security
  • setup
  • shadow
  • shit
  • sql
  • super
  • sys
  • system
  • abc123
  • access
  • adm
  • alpha
  • anon
  • anonymous
  • backdoor
  • backup
  • beta
  • bin
  • coffee
  • computer
  • crew
  • database
  • debug
  • default
  • demo
  • free
  • go
  • guest
  • hello
  • install
  • internet
  • login
  • mail
  • manager
  • money
  • monitor
  • network
  • new
  • newpass
  • nick
  • nobody
  • nopass
  • oracle
  • pass
  • passwd
  • password
  • poiuytre
  • private
  • public
  • qwerty
  • random
  • real
  • remote
  • ruler
  • telnet
  • temp
  • test
  • test1
  • test2
  • visitor
  • windows

Once a target Windows machine has successfully been exploited, it will create and execute a Visual Basic Script (VBS) file remotely to download and execute a copy of this malware.

It also spies on the user by logging mouse and keyboard events when a specific window with the following strings is active:

  • bank
  • Bank
  • eBay
  • iKobo
  • PayPal
  • StormPay
  • WorldPay

It accepts the following BOT commands:

  • cdsfmd
  • cmderstop
  • disconsdfnect
  • httpxcvdos
  • httxcvvpstop
  • imsxcvpread
  • imsxcvtop
  • irtycraw
  • kehgjylog
  • kfgnlobvnad
  • kiltryltrqead
  • logsdfout
  • lxcoxcvg
  • masssxcvcan
  • openxcvcmd
  • rdsfmd
  • recosdnsdfnect
  • scacxvnstats
  • scacxvnstop
  • sccxvan
  • scxvyxn
  • socbnks4
  • socsdfsktop
  • synsxcvtop
  • threddsads
  • twist
  • ucxvdp
  • udpcxvsctop
  • updghjate
  • uptidsfme
  • vifdgsit
  • visyjghit2

RBot.BIC is also able to send itself in Instant Messages with the following details:

  • filename: photo_.SCr
  • message: <= :D:D