Backdoor.Win32.Rbot.bni

Technical Details

This Trojan program is a Windows PE EXE file. It is a Windows PE EXE file. It is 50 176 bytes in size. It is written in Assembler.

Installation

Once launched, the backdoor uses the name and path to its original file to generate a GUID, which will then be used to registry the program in the system:

[HKCR\CLSID\{%GUID%}]
"(default)" = "<random symbols> "

[HKCR\CLSID\{%GUID%}\LocalServer32]
"(default)" = "<path to backdoor file>"

When launching, the backdoor creates a copy of its body called "irdvxc.exe" in the Windows system directory:

It then launches this copy every 2 seconds with the following command line parameters:

%System%\irdvxc.exe /installservice
%System%\irdvxc.exe /start

The copy of the backdoor creates an entry in the system registry which uses the new path to the malicious file:

[HKCR\CLSID\{C9FCA82B-D6D4-EC14-6B56-609ADDA29FB7}]
"(Default)" = "svxqqbkhrbsqsjhq" 

[HKCR\CLSID\{C9FCA82B-D6D4-EC14-6B56-609ADDA29FB7}\LocalServer32]
"(Default)" = "%System%\irdvxc.exe"

The backdoor file will be registered using Windows installation manager as a service when the command /installservice is run. This service will be launched automatically when the system is booted.

The service is called "MSDisk". The full name of the service is "Network helper Service" and the description of the service is "Network service for disk management requests".

When the service is registered, the following registry key is created:

When /start is run, the registered service will be launched.

The backdoor also creates a unique identifier, “jhdgcjhasgdc09890gjasgcjhg2763876uyg3fhg” to flag its presence in the system.

Payload

Every 50 milliseconds the backdoor creates a thread in which it will connect to the following server (if there is a network accessible):

www.starman.ee
www.if.ee

If in the course of 256 connection either of the servers returns an error saying that the resource is temporarily not available, the connection will be suspended for half a second.

The backdoor spreads via the Microsoft Windows DCOM RPC vulnerability. A full description of the vulnerability can be found in Microsoft Security Bulletin MS03-026 Microsoft Security Bulletin MS03-026 ().

The backdoor chooses IP addresses to attack, and if a machine under attack contains the DCOM RPC vulnerability, the backdoor will launch its code on the vulnerable machine.

If none of the computers under attack contain this vulnerability, the backdoor will try to connect using the following user names:

Administrator
Admin

and the following passwords:

Admin
root
asdfgh
password
00
000
0000
00000
000000
0000000
00000000
1
12
123
1234
12345
123456
1234567
12345678
123456789
secret
secure
security
setup
shadow
shit
sql
super
sys
system
abc123
access
adm
alpha
anon
anonymous
backdoor
backup
beta
bin
coffee
computer
crew
database
debug
default
demo
X
go
guest
hello
install
internet
login
mail
manager
money
monitor
network
new
newpass
nick
nobody
nopass
oracle
pass
passwd
server
poiuytre
private
public
qwerty
random
real
remote
ruler
telnet
temp
test
test1
test2
visitor
windows

If the backdoor manages to establish a connection, it will copy its executable file to the Windows system directory on the victim machine.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the Trojan process.
2. Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following parameter from the system registry (see What is a system registry and how do I use it for details on how to edit the registry).

   [HKCR\CLSID\{%GUID%}]
   "(default)" = "<random symbols> "
   
   [HKCR\CLSID\{%GUID%}\LocalServer32]
   "(default)" = "<path to backdoor file>"
   
   [HKCR\CLSID\{C9FCA82B-D6D4-EC14-6B56-609ADDA29FB7}]
   "(Default)" = "svxqqbkhrbsqsjhq" 
   
   [HKCR\CLSID\{C9FCA82B-D6D4-EC14-6B56-609ADDA29FB7}\LocalServer32]
   "(Default)" = "%System%\irdvxc.exe"
   
   [HKLM\System\CurrentControlSet\Services\MSDisk]

4. Delete the "Network helper Service"
5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).