How to delete Rbot - Removal tool, fix instructions

Name: Rbot

Aliases: Rbot.A, Bck/Rbot.A

Type: Backdoor

Size: 184223

First appeared on: 04.06.2004

Damage: Medium

Brief Description:
Rbot.A allows hackers to gain remote access to the affected computer in order to carry out actions that compromise user confidentiality and impede the tasks performed on the computer.

Win32.Rbot is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized access to a victim's machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants. Most instances of Rbot are compressed and/or encrypted with one or more run-time executable packers. Examples include Morphine, UPX, ASPack, PESpin, EZIP, PEShield, PECompact, FSG, EXEStealth, PEX, MoleBox and PEtite.

Visible Symptoms:

Rbot is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.

Technical description:

When first run, Rbot will copy itself into the %System% directory. The file name is configured seperately for each variant, but a common example is "wuamgrd.exe". The worm may also be configured to use a different, randomly generated file name each time it installs itself. It sets the read only, hidden and system attributes for the file in the %System% directory, and sets its date/time to match that of the system file "explorer.exe".

The worm most commonly adds entries to the following registry keys so that it is automatically run each time Windows starts:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

The value name is also configurable, therefore it can be different for each variant. For example:

HKLM\Software\Microsoft\Windows\CurrentVersion\ Run\Microsoft Update Machine = "wuamgrd.exe"

The worm may be configured to regularly check these values and re-set them if necessary.

Rbot will usually create a mutex to ensure only one copy runs at a time. The mutex name changes from one variant to the next. One observed example is "rxlsass01b".

Propagation:

Win32.Rbot variants are able to spread in a number of different ways. Propagation is launched manually through backdoor control, rather than happening automatically. Not all variants support all propagation mechanisms.

Each spreading method begins with scanning for target machines. The worm can generate random values for all or part of each IP address it targets. Each attack vector is associated with a particular TCP port.

  • Via Network Shares (TCP ports 139 and 445)

    Rbot can infect remote machines through Windows file sharing. It scans for target machines by probing TCP ports 139 and 445. If it can connect to either of these ports, it then tries to connect to the Windows share:

    \\<target>\ipc$

    Where <target> is the name of the machine it is trying to infect.

    If this connection is not successful, it gives up on this machine. If the connection succeeds, it then attempts to retrieve a list of user names on the target, then use these user names to gain access to the system. If it cannot retrieve the list of user names, it falls back on a default list that it carries within itself, for example:

    administrator
    administrador
    administrateur
    administrat
    admins
    admin
    staff
    root
    computer
    owner
    student
    teacher
    wwwadmin
    guest
    default
    database
    dba
    oracle
    db2

    Note: Rbot may also try to access a remote machine using the credentials of the local account from which it is executed.

    For each user name, it attempts to authenticate using several passwords stored within the worm. The password list can vary.

    The list usually includes an empty password.

    Assuming the worm can authenticate with the target machine, it then tries to copy itself to these locations:

    \\<target>\Admin$\system32
    \\<target>\c$\winnt\system32
    \\<target>\c$\windows\system32
    \\<target>\c
    \\<target>\d

    It then schedules a remote job to run the worm copy on the target machine.

  • Via Exploits

    Rbot can also spread by exploiting vulnerabilities in Windows operating systems and third party applications. If it successfully exploits one of these, it executes a small amount of code on the target machine, which instructs it to connect back to the source in order to retrieve the complete worm executable. These connections back to the source use either the TFTP or HTTP protocol; the worm acts as a TFTP or HTTP server to deliver itself. The ports used for these servers are also configurable, but are often 81 for HTTP and 69 for TFTP.

  • Via Other Malware

    Some Rbot variants can also infect remote systems through backdoors created by other malware:

    • Win32.Bagle worm (TCP port 2745)
    • Win32.Mydoom worm (TCP port 3127)
    • Win32.OptixPro trojan (TCP port 3410)
    • Win32.NetDevil trojan (TCP port 903)
    • Win32.Kuang trojan (TCP port 17300)
    • Win32.SubSeven trojan (TCP port 27347)

    Note: some of the above trojans listen on variable ports. Known variants of Win32.Rbot use only the default ports as listed above.

Removal tool:

You can use RBOTGUI from Sophos. RBOTGUI is a disinfector for standalone Windows computers

  • open RBOTGUI
  • run it
  • then click GO

If you are disinfecting several computers; download it, save it to floppy disk, write-protect the floppy disk and run it from there.