[Malware] Backdoor.Win32.Rbot.clj Reversing

December 1, 2007

Hi,

Kaspersky Identification: Backdoor.Win32.Rbot.clj
MD5: 59c661ba0c7c485f4480f7b142a9c084

Backdoor.Rbot offers user remote access to victim machines. The Trojans are controlled via IRC and perfoms various operations of data estortion:

  • Data Packet filtering passwords to FTP servers, and e-payment systems.
  • Vulnerability check (RPC DCOM, UPnP, WebDAV).
  • Other backdoor check NetDevil, SubSeven.
  • Bridge for DoS attacks.
  • Send the user of the program detailed information about the victim machine, including passwords to a range of computer games.

Rbot is a really stupid and unsophisticated virus, actually detected by all antiviruses, and can be removed in 1 minute by hand.

Rbot is packed with NSPack v 2.9, a truly common packer/compressor used in many viruses.
Unpacking it truly easy:

.nsp1:004DF1B4       pushf ; EP
.nsp1:004DF1B5       pusha

.nsp1:004DF424        popa
.nsp1:004DF425        popf
.nsp1:004DF426        jmp     near ptr dword_4DC8D0 ;OEP

You have only to put a Breakpoint on the JMP OEP, dump and rebuild the executable and you’ll have a 100% clear executable.
Following entries are added:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and for each execution Rbot copies itself (every time with a different name) into  %System% directory.

Rbot can spread itself in various manners:

Via Network Shares (TCP ports 139 and 445)
Via Exploits like Windows LSASS buffer overflow, Windows ntdll.dll buffer overflow, Windows RPC malformed message buffer overflow, RPCSS malformed DCOM, UPnP, DameWare.

Via other Malicious Code:

  • Win32.Bagle worm (TCP port 2745)
  • Win32.Mydoom worm (TCP port 3127)
  • Win32.OptixPro trojan (TCP port 3410)
  • Win32.NetDevil trojan (TCP port 903)
  • Win32.Kuang trojan (TCP port 17300)
  • Win32.SubSeven trojan (TCP port 27347)

.:: Rbot Removal ::.

Locate the executable in %System% directory and remove it (remember that the .exe is Hidden)
Remove the reg keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

See you to the next post..


[Malware] nugbnljbphe.exe

December 1, 2007

Morning,

Today when i started pc, a strange executable caused me some problems “nugbnljbphe.exe” I suspect that’s a Malware, Kaspersky does not recognize it.

My suspects are confirmed by the presence of .nsp0 section, that indicates the presence of Nspack packer, heavly used in malware executables.

I’m going to reverse it..

See you to the next post.. 🙂