Description
Win32/Rbot.EXI is an IRC controlled backdoor (or "bot") that can
be used to gain unauthorized access to a victim's machine. It can also exhibit worm-like
functionality by exploiting weak passwords on administrative shares and by exploiting many different
software vulnerabilities, as well as backdoors created by other malware. There are many variants of
Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively
developed, however the core functionality is quite consistent between variants.
This particular variant of Rbot is distributed as a
258,048 byte, Win32 executable that exhibits the following specific
characteristics:
When executed this variant copies itself to the %System% directory as
CCapp2.exe
and makes the following modifications to the registry to ensure that this file is executed at
each Windows system start:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus
Protection Services = "ccapp2.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\Antivirus
Protection Services = "ccapp2.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus
Protection Services = "ccapp2.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Antivirus
Protection Services = "ccapp2.exe"
Note: '%System%' and '%Windows%' are variable locations. The
determines the location of these folders by querying the operating system. The default location for the
System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and
for XP is C:\Windows\System32. The default installation location for the Windows directory for Windows 2000
and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
For more detailed information regarding the functionality of the Win32.Rbot family,
please visit the
Win32.Rbot description elsewhere in our encyclopedia.