ALIASES:

Rbot

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Canal de infección Propagates via network shares

POEBOT is a family of worms that spreads via network shares. It uses a list of user names and passwords to access password-protected shares.

POEBOT has backdoor capabilities,allowing remote access to the affected system. It can also collect information from specific applications.

  TECHNICAL DETAILS

Residente en memoria Yes
Carga útil Compromises system security

Installation

This worm drops the following copies of itself into the affected system:

  • %System%\{random}.exe

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random value} = "%System%\{random}.exe"

Other Details

This worm connects to the following possibly malicious URL:

  • xt.{BLOCKED}ere.biz
  • ss.{BLOCKED}HZ.INFO