BKDR_RBOT.BRU
Backdoor:Win32/IRCbot (Microsoft); Generic.dh (McAfee); Suspicious.IRCBot (Symantec); Backdoor.Win32.Rbot.bqj (Kaspersky); Backdoor.Rbot (Sunbelt); Trojan horse IRC/BackDoor.SdBot2.EZI (AVG)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes itself after execution.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following copies of itself into the affected system:
- %System%\winmsfws.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Update Firewall System = "winmsfws.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
Windows Update Firewall System = "winmsfws.exe"
Other System Modifications
This backdoor adds the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\
OLE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SCHANNEL\
Protocols\PCT1.0\Server
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
OLE
Windows Update Firewall System = "winmsfws.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Ole
EnableRemoteConnect = "N"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SecurityProviders\SCHANNEL\
Protocols\PCT1.0\Server
Enabled = "{random values}"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanserver\parameters
AutoShareWks = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanserver\parameters
AutoShareServer = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
AllowUnqualifiedQuery = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
PrioritizeRecordData = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TCP1320Opts = "3"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
KeepAliveTime = "2328"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
BcastQueryTimeout = "2ee"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
BcastNameQueryCount = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
CacheTimeout = "ea6"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
Size/Small/Medium/Large = "3"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
LargeBufferSize = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
SynAckProtect = "2"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
PerformRouterDiscovery = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
EnablePMTUBHDetect = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
FastSendDatagramThreshold = "4"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
StandardAddressLength = "18"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DefaultReceiveWindow = "4"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DefaultSendWindow = "4"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
BufferMultiplier = "2"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
PriorityBoost = "2"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
IrpStackSize = "4"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
IgnorePushBitOnReceives = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DisableAddressSharing = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
AllowUserRawAccess = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DisableRawSecurity = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DynamicBacklogGrowthDelta = "32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
FastCopyReceiveThreshold = "4"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
LargeBufferListDepth = "a"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
MaxActiveTransmitFileCount = "2"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
MaxFastTransmit = "4"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
OverheadChargeGranularity = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
SmallBufferListDepth = "2"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
SmallerBufferSize = "8"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TransmitWorker = "2"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DNSQueryTimeouts = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DefaultRegistrationTTL = "14"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DisableReplaceAddressesInConflicts = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DisableReverseAddressRegistrations = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
UpdateSecurityLevel = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DisjointNameSpace = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
QueryIpMatching = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
NoNameReleaseOnDemand = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
EnableDeadGWDetect = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
EnableFastRouteLookup = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
MaxFreeTcbs = "7d"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
MaxHashTableSize = "8"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
SackOpts = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
Tcp1323Opts = "3"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TcpMaxDupAcks = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TcpRecvSegmentSize = "585"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TcpSendSegmentSize = "585"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DefaultTTL = "3"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TcpMaxHalfOpen = "4b"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TcpMaxHalfOpenRetried = "5"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TcpTimedWaitDelay = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
MaxNormLookupMemory = "3d4"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
FFPControlFlags = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
FFPFastForwardingCacheSize = "3d4"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
MaxForwardBufferMemory = "19df7"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
MaxFreeTWTcbs = "7d"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
GlobalMaxTcpWindowSize = "7d2"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
EnablePMTUDiscovery = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
ForwardBufferMemory = "19df7"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server = "5"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer = "5"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Ole
EnableDCOM = "N"
(Note: The default value data of the said registry entry is Y.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Lsa
restrictanonymous = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess
Start = "4"
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\wuauserv
Start = "4"
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\wscsvc
Start = "4"
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
ForwardBroadcasts = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
IPEnableRouter = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
UseDomainNameDevolution = "1"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
EnableICMPRedirect = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DeadGWDetectDefault = "1"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
DontAddDefaultGatewayDefault = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
EnableSecurityFilters = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
TcpWindowSize = "7d2"
(Note: The default value data of the said registry entry is faf0.)
Dropping Routine
This backdoor drops the following files:
- %System Root%\a.bat
- %User Temp%\1.reg
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
Other Details
This backdoor deletes itself after execution.
This report is generated via an automated analysis system.
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Restart in Safe Mode
Step 3
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- RunServices
- In HKEY_CURRENT_USER\Software\Microsoft
- OLE
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0
- Server
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Windows Update Firewall System = "winmsfws.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- Windows Update Firewall System = "winmsfws.exe"
- In HKEY_CURRENT_USER\Software\Microsoft\OLE
- Windows Update Firewall System = "winmsfws.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
- EnableRemoteConnect = "N"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server
- Enabled = "{random values}"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
- AutoShareWks = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters
- AutoShareServer = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- AllowUnqualifiedQuery = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- PrioritizeRecordData = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- TCP1320Opts = "3"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- KeepAliveTime = "2328"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- BcastQueryTimeout = "2ee"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- BcastNameQueryCount = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- CacheTimeout = "ea6"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- Size/Small/Medium/Large = "3"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- LargeBufferSize = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- SynAckProtect = "2"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- PerformRouterDiscovery = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- EnablePMTUBHDetect = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- FastSendDatagramThreshold = "4"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- StandardAddressLength = "18"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- DefaultReceiveWindow = "4"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- DefaultSendWindow = "4"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- BufferMultiplier = "2"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- PriorityBoost = "2"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- IrpStackSize = "4"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- IgnorePushBitOnReceives = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- DisableAddressSharing = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- AllowUserRawAccess = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- DisableRawSecurity = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- DynamicBacklogGrowthDelta = "32"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- FastCopyReceiveThreshold = "4"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- LargeBufferListDepth = "a"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- MaxActiveTransmitFileCount = "2"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- MaxFastTransmit = "4"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- OverheadChargeGranularity = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- SmallBufferListDepth = "2"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- SmallerBufferSize = "8"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- TransmitWorker = "2"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- DNSQueryTimeouts = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- DefaultRegistrationTTL = "14"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- DisableReplaceAddressesInConflicts = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- DisableReverseAddressRegistrations = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- UpdateSecurityLevel = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- DisjointNameSpace = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- QueryIpMatching = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- NoNameReleaseOnDemand = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- EnableDeadGWDetect = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- EnableFastRouteLookup = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- MaxFreeTcbs = "7d"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- MaxHashTableSize = "8"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- SackOpts = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- Tcp1323Opts = "3"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- TcpMaxDupAcks = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- TcpRecvSegmentSize = "585"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- TcpSendSegmentSize = "585"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- DefaultTTL = "3"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- TcpMaxHalfOpen = "4b"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- TcpMaxHalfOpenRetried = "5"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- TcpTimedWaitDelay = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- MaxNormLookupMemory = "3d4"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- FFPControlFlags = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- FFPFastForwardingCacheSize = "3d4"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- MaxForwardBufferMemory = "19df7"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- MaxFreeTWTcbs = "7d"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- GlobalMaxTcpWindowSize = "7d2"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- EnablePMTUDiscovery = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- ForwardBufferMemory = "19df7"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- MaxConnectionsPer1_0Server = "5"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- MaxConnectionsPerServer = "5"
Step 5
Restore these modified registry values
Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
- From: EnableDCOM = "N"
To: EnableDCOM = ""Y""
- From: EnableDCOM = "N"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
- restrictanonymous = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess
- From: Start = "4"
To: Start = ""2""
- From: Start = "4"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv
- From: Start = "4"
To: Start = ""2""
- From: Start = "4"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc
- From: Start = "4"
To: Start = ""2""
- From: Start = "4"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- ForwardBroadcasts = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- IPEnableRouter = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- From: UseDomainNameDevolution = "1"
To: UseDomainNameDevolution = ""1""
- From: UseDomainNameDevolution = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- From: EnableICMPRedirect = "0"
To: EnableICMPRedirect = ""1""
- From: EnableICMPRedirect = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- From: DeadGWDetectDefault = "1"
To: DeadGWDetectDefault = ""1""
- From: DeadGWDetectDefault = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- DontAddDefaultGatewayDefault = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- EnableSecurityFilters = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
- From: TcpWindowSize = "7d2"
To: TcpWindowSize = ""faf0""
- From: TcpWindowSize = "7d2"
Step 6
Search and delete these components
- %System Root%\a.bat
- %User Temp%\1.reg
Step 7
Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_RBOT.BRU. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.