W32/Rbot-BJR

Category: Viruses and SpywareProtection available since:09 Jan 2006 00:00:00 (GMT)
Type: Win32 wormLast Updated:09 Jan 2006 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-BJR is a worm with backdoor functionality for the Windows platform.

W32/Rbot-BJR spreads:

- to other network computers infected with W32/MyDoom and W32/Bagle
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012) and WebDav (MS03-007)
- to netowrk shares protected by weak passwords

W32/Rbot-BJR can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-BJR can be instructed by a remote user to perform the following functions:

start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN) W32/Rbot-BJR is a worm with backdoor functionality for the Windows platform.

W32/Rbot-BJR spreads:

- to other network computers infected with W32/MyDoom and W32/Bagle
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012) and WebDav (MS03-007)
- to netowrk shares protected by weak passwords

W32/Rbot-BJR can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-BJR can be instructed by a remote user to perform the following functions:

start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)

W32/Rbot-BJR also attempts to steal product registration information from the following gaming software:

Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Chrome
Command and Conquer: Generals
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike (Retail)
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden & Dangerous 2
IGI 2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Legends of Might and Magic
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
Need For Speed Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
Neverwinter Nights (Hordes of the Underdark)
Neverwinter Nights (Shadows of Undrentide)
NHL 2002
NHL 2003
Rainbow Six III RavenShield
Shogun: Total War: Warlord Edition
Soldier of Fortune II - Double Helix
Soldiers Of Anarchy
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004

When first run W32/Rbot-BJR copies itself to <System>\Firewall-UpdateV9.exe.

The following registry entries are created to run Firewall-UpdateV9.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Personal Firewall V9
Firewall-UpdateV9.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Personal Firewall V9
Firewall-UpdateV9.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Personal Firewall V9
Firewall-UpdateV9.exe

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1