BKDR_LINKBOT
Rbot
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
POEBOT is a family of worms that spreads via network shares. It uses a list of user names and passwords to access password-protected shares.
POEBOT has backdoor capabilities,allowing remote access to the affected system. It can also collect information from specific applications.
TECHNICAL DETAILS
Installation
This backdoor drops the following copies of itself into the affected system:
- %System%\{random}.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random value} = "%System%\{random}.exe"
Other Details
This backdoor connects to the following possibly malicious URL:
- xt.{BLOCKED}ere.biz
- ss.{BLOCKED}HZ.INFO