Rbot Computer Virus

Win32.Rbot is an IRC controlled backdoor or "bot" that can be used to gain unauthorized access to a victim´s machine. It also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants. Most instances of Rbot are compressed and / or encrypted with one or more run-time executable packers.

When Rbot first run, it will copy itself into the %System% directory. The file name is configured seperately for each variant, but a common example is "wuamgrd.exe". The worm may also be configured to use a different, randomly generated file name each time it installs itself. It sets the read only, hidden and system attributes for the file in the %System% directory, and sets its date/time to match that of the system file "explorer.exe".

The worm most commonly adds entries to the following registry keys so that it is automatically run each time Windows starts:

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Machine = "wuamgrd.exe"

Rbot will usually create a mutex to ensure only one copy runs at a time. The mutex name changes from one variant to the next. One observed example is "rxlsass01b".