W32/Rbot-DID

Category: Viruses and Spyware Protection available since:05 May 2006 00:00:00 (GMT)
Type: Win32 worm Last Updated:05 May 2006 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-DID is a network and AOL Instant Messenger worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-DID runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-DID spreads to other computers via network shares protected by weak passwords and by AOL Instant Messenger by sending attachments of itself to the list of contacts.

The filenames attached can be chosen from any of the following:

file.TXT.scr
document.TXT.exe
images_packed_with_winzip.ZIP.exe
Upgrade_messenger.exe
messgr_icon_install.exe
animation_icon_pack.exe
install_update.exe
free_smser_install.exe
document1.DOC.scr
readme.DOC.scr
document_saved.zip
free_stuff_2394.zip
pictures_winzip.zip
new version (messenger).zip
animation_icons.zip
messenger_icons.zip
critical_update.zip
free sms install.zip
secret (important).zip
story_read_this.zip

When first run W32/Rbot-DID copies itself to <System>\msclt.exe and creates the file \rBot.txt. The file rBot.txt can be deleted.

W32/Rbot-DID includes functionality to:

- log keystrokes
- perform DDoS attacks
- setup a SOCKS4 server
- download code from the internet

The following registry entries are created to run msclt.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft client for NT
msclt.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft client for NT
msclt.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft client for NT
msclt.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft client for NT
msclt.exe

The following registry entry is changed to run msclt.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe msclt.exe

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

W32/Rbot-DID sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous

W32/Rbot-DID may also create or change registry entries under:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List

HKLM\SOFTWARE\Microsoft\security center

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

HKLM\SOFTWARE\Microsoft\OLE

W32/Rbot-DID also overwrites the HOSTS file with the following mappings:

127.0.0.1 localhost
14.156.202.237 avp.com
7.50.30.209 ca.com
43.211.251.140 customer.symantec.com
9.173.175.98 dispatch.mcafee.com
53.217.31.32 download.mcafee.com
184.168.12.166 downloads1.kaspersky-labs.com
3.192.145.174 downloads2.kaspersky-labs.com
221.230.184.6 downloads3.kaspersky-labs.com
54.3.82.57 downloads4.kaspersky-labs.com
42.181.121.214 downloads-eu1.kaspersky-labs.com
178.141.86.201 downloads-eu2.kaspersky-labs.com
96.58.21.244 downloads-eu3.kaspersky-labs.com
108.202.171.17 downloads-eu4.kaspersky-labs.com
61.73.87.108 downloads-us1.kaspersky-labs.com
119.76.239.151 downloads-us2.kaspersky-labs.com
65.83.120.39 downloads-us3.kaspersky-labs.com
244.249.20.247 downloads-us4.kaspersky-labs.com
56.221.190.187 f-secure.com
77.208.111.176 ftp.avp.com
157.144.5.65 ftp.ca.com
182.61.39.127 ftp.customer.symantec.com
79.73.254.177 ftp.dispatch.mcafee.com
139.248.224.213 ftp.download.mcafee.com
137.208.219.104 ftp.downloads1.kaspersky-labs.com
119.251.197.206 ftp.downloads2.kaspersky-labs.com
186.10.174.33 ftp.downloads3.kaspersky-labs.com
106.131.218.197 ftp.downloads4.kaspersky-labs.com
33.197.45.20 ftp.downloads-eu1.kaspersky-labs.com
231.33.161.240 ftp.downloads-eu2.kaspersky-labs.com
193.152.60.152 ftp.downloads-eu3.kaspersky-labs.com
153.220.144.14 ftp.downloads-eu4.kaspersky-labs.com
157.196.74.92 ftp.downloads-us1.kaspersky-labs.com
58.235.209.36 ftp.downloads-us2.kaspersky-labs.com
205.57.252.170 ftp.downloads-us3.kaspersky-labs.com
77.238.95.210 ftp.downloads-us4.kaspersky-labs.com
221.148.176.197 ftp.f-secure.com
169.70.96.45 ftp.grisoft.com
250.73.62.197 ftp.kaspersky.com
207.243.224.42 ftp.kaspersky-labs.com
122.62.31.152 ftp.liveupdate.symantec.com
17.141.88.162 ftp.liveupdate.symantecliveupdate.com
36.16.211.254 ftp.mast.mcafee.com
142.65.120.226 ftp.mcafee.com
215.91.164.171 ftp.my-etrust.com
119.228.217.66 ftp.nai.com
119.18.41.227 ftp.networkassociates.com
173.28.103.89 ftp.norton.com
48.106.44.56 ftp.rads.mcafee.com
35.136.169.186 ftp.sandbox.norman.com
130.89.207.202 ftp.secure.nai.com
24.10.214.69 ftp.securityresponse.symantec.com
41.154.146.165 ftp.sophos.com
36.24.60.2 ftp.symantec.com
70.205.147.33 ftp.symantecliveupdate.com
139.27.237.140 ftp.symatec.com
226.31.179.218 ftp.trendmicro.com
234.233.205.31 ftp.uk.trendmicro-europe.com
66.128.3.188 ftp.update.symantec.com
171.64.93.16 ftp.updates.symantec.com
130.121.249.18 ftp.updates1.kaspersky-labs.com
210.219.232.127 ftp.updates2.kaspersky-labs.com
138.251.135.173 ftp.updates3.kaspersky-labs.com
18.23.241.124 ftp.updates4.kaspersky-labs.com
74.82.110.162 ftp.us.mcafee.com
181.161.253.197 ftp.viruslist.com
208.23.240.137 grisoft.com
92.61.36.154 kaspersky.com
36.193.203.213 kaspersky-labs.com
124.21.113.150 liveupdate.symantec.com
122.191.132.64 liveupdate.symantecliveupdate.com
190.155.37.32 mast.mcafee.com
179.161.9.181 mcafee.com
41.132.42.106 my-etrust.com
46.209.19.103 nai.com
18.188.116.128 networkassociates.com
102.224.110.218 norton.com
110.135.33.97 pandasoftware.com
227.223.254.145 rads.mcafee.com
227.24.108.55 sandbox.norman.com
128.204.161.63 secure.nai.com
185.75.243.140 securityresponse.symantec.com
114.137.213.147 sophos.com
136.226.80.33 symantec.com
49.231.59.13 symantecliveupdate.com
72.96.243.68 symatec.com
163.70.92.96 trendmicro.com
39.224.225.195 uk.trendmicro-europe.com
34.55.79.110 update.symantec.com
51.17.51.112 updates.symantec.com
195.186.28.77 updates1.kaspersky-labs.com
79.51.233.162 updates2.kaspersky-labs.com
131.142.129.220 updates3.kaspersky-labs.com
128.44.152.225 updates4.kaspersky-labs.com
46.4.120.236 us.mcafee.com
130.171.209.13 viruslist.com
161.232.23.116 virusscan.jotti.org
52.87.239.27 virustotal.com
97.7.185.87 www.avp.com
201.151.42.236 www.ca.com
112.46.2.63 www.customer.symantec.com
222.94.245.36 www.dispatch.mcafee.com
138.73.34.126 www.download.mcafee.com
67.20.191.27 www.downloads1.kaspersky-labs.com
29.141.118.136 www.downloads2.kaspersky-labs.com
174.131.234.216 www.downloads3.kaspersky-labs.com
155.52.120.122 www.downloads4.kaspersky-labs.com
176.92.43.170 www.downloads-eu1.kaspersky-labs.com
158.195.116.44 www.downloads-eu2.kaspersky-labs.com
0.204.163.184 www.downloads-eu3.kaspersky-labs.com
84.237.28.93 www.downloads-eu4.kaspersky-labs.com
11.154.96.188 www.downloads-us1.kaspersky-labs.com
67.244.93.229 www.downloads-us2.kaspersky-labs.com
234.91.150.57 www.downloads-us3.kaspersky-labs.com
215.168.20.129 www.downloads-us4.kaspersky-labs.com
16.53.61.77 www.f-secure.com
70.114.129.161 www.grisoft.com
213.50.110.17 www.kaspersky.com
58.109.29.215 www.kaspersky-labs.com
81.162.28.132 www.liveupdate.symantec.com
88.147.48.75 www.liveupdate.symantecliveupdate.com
130.13.152.142 www.mast.mcafee.com
144.242.62.188 www.mcafee.com
198.181.227.8 www.my-etrust.com
55.254.71.159 www.nai.com
35.172.213.224 www.networkassociates.com
127.103.209.64 www.norton.com
221.241.146.73 www.pandasoftware.com
181.1.69.122 www.rads.mcafee.com
228.41.75.111 www.sandbox.norman.com
81.68.155.126 www.secure.nai.com
8.215.212.84 www.securityresponse.symantec.com
211.212.87.42 www.sophos.com
3.190.143.162 www.symantec.com
252.29.87.107 www.symantecliveupdate.com
79.54.147.163 www.symatec.com
198.248.107.186 www.trendmicro.com
212.162.189.184 www.uk.trendmicro-europe.com
60.239.70.160 www.update.symantec.com
221.248.127.108 www.updates.symantec.com
145.0.185.74 www.updates1.kaspersky-labs.com
96.206.3.146 www.updates2.kaspersky-labs.com
155.118.65.51 www.updates3.kaspersky-labs.com
22.124.37.242 www.updates4.kaspersky-labs.com
140.220.95.86 www.us.mcafee.com
231.211.177.136 www.viruslist.com
7.113.74.125 www.virustotal.com

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy