Win32.Rbot.CXW (Ca.com)

Description Published: 2005. július 3.
Description Modified: 2005. július 3.

Threat Assessment

Overall Risk: Low
Wild: Low
Destructiveness: Medium
Pervasiveness: Medium

Characteristics

Type: Worm
Category: Win32
Also known as Win32/Rbot.160768!Worm, W32/Sdbot.worm.gen.j (McAfee), W32/Spybot.QEK (Norman)

Description

Win32.Rbot.CXW is an IRC controlled backdoor (or ˝bot˝) that can be used to gain unauthorized access to a victim´s machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants.

This particular variant of Rbot is distributed as a 160,768-byte Win32 executable, packed with Morphine, that exhibits the following specific characteristics:

When executed this variant copies itself to the %System% directory as sketixp32.exe and makes the following modifications to the registry to ensure that this file is executed at each Windows system start:

HKLMSoftwareMicrosoftWindowsCurrentVersionRunService Monitor = ˝sketixp32.exe˝
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesService Monitor = ˝sketixp32.exe˝

Note: ´%System%´ and ´%Windows%´ are variable locations. The worm determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:WinntSystem32; for 95,98 and ME is C:WindowsSystem; and for XP is C:WindowsSystem32.The default installation location for the Windows directory for Windows 2000 and NT is C:Winnt; for 95,98 and ME is C:Windows; and for XP is C:Windows.

For more detailed information regarding the functionality of the Win32.Rbot family, please visit the Win32.Rbot description elsewhere in our encyclopedia.