Description
Win32.Rbot.WO is an IRC controlled backdoor (or "bot") that can
be used to gain unauthorized access to a victim's machine. It can also exhibit worm-like
functionality by exploiting weak passwords on administrative shares and by exploiting many different
software vulnerabilities, as well as backdoors created by other malware. There are many variants of
Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively
developed, however the core functionality is quite consistent between variants.
This particular variant of Rbot is distributed as a
134,039 byte, Win32 executable that exhibits the following specific
characteristics:
When executed this variant copies itself to the %System% directory as
nqhasma.exe and makes the following modifications to the
registry to ensure that this file is executed at each Windows system start:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "nqhasma.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "nqhasma.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\spoolsv.exe = "nqhasma.exe"
Note: '%System%' and '%Windows%' are variable locations. The Worm
determines the location of these folders by querying the operating system. The default location for the
System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and
for XP is C:\Windows\System32. The default installation location for the Windows directory for Windows 2000
and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
For more detailed information regarding the functionality of the Win32.Rbot family,
please visit the
Win32.Rbot
description elsewhere in our encyclopedia.