[Malware] Backdoor.Win32.Rbot.clj Reversing


Kaspersky Identification: Backdoor.Win32.Rbot.clj
MD5: 59c661ba0c7c485f4480f7b142a9c084

Backdoor.Rbot offers user remote access to victim machines. The Trojans are controlled via IRC and perfoms various operations of data estortion:

  • Data Packet filtering passwords to FTP servers, and e-payment systems.
  • Vulnerability check (RPC DCOM, UPnP, WebDAV).
  • Other backdoor check NetDevil, SubSeven.
  • Bridge for DoS attacks.
  • Send the user of the program detailed information about the victim machine, including passwords to a range of computer games.

Rbot is a really stupid and unsophisticated virus, actually detected by all antiviruses, and can be removed in 1 minute by hand.

Rbot is packed with NSPack v 2.9, a truly common packer/compressor used in many viruses.
Unpacking it truly easy:

.nsp1:004DF1B4       pushf ; EP
.nsp1:004DF1B5       pusha

.nsp1:004DF424        popa
.nsp1:004DF425        popf
.nsp1:004DF426        jmp     near ptr dword_4DC8D0 ;OEP

You have only to put a Breakpoint on the JMP OEP, dump and rebuild the executable and you’ll have a 100% clear executable.
Following entries are added:


and for each execution Rbot copies itself (every time with a different name) into  %System% directory.

Rbot can spread itself in various manners:

Via Network Shares (TCP ports 139 and 445)
Via Exploits like Windows LSASS buffer overflow, Windows ntdll.dll buffer overflow, Windows RPC malformed message buffer overflow, RPCSS malformed DCOM, UPnP, DameWare.

Via other Malicious Code:

  • Win32.Bagle worm (TCP port 2745)
  • Win32.Mydoom worm (TCP port 3127)
  • Win32.OptixPro trojan (TCP port 3410)
  • Win32.NetDevil trojan (TCP port 903)
  • Win32.Kuang trojan (TCP port 17300)
  • Win32.SubSeven trojan (TCP port 27347)

.:: Rbot Removal ::.

Locate the executable in %System% directory and remove it (remember that the .exe is Hidden)
Remove the reg keys:

See you to the next post..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: