BKDR_POEBOT


 ALIASES:

Rbot

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via network shares


POEBOT is a family of worms that spreads via network shares. It uses a list of user names and passwords to access password-protected shares.

POEBOT has backdoor capabilities,allowing remote access to the affected system. It can also collect information from specific applications.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Compromises system security

Installation

This backdoor drops the following copies of itself into the affected system:

  • %System%\{random}.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random value} = "%System%\{random}.exe"

Other Details

This backdoor connects to the following possibly malicious URL:

  • xt.{BLOCKED}ere.biz
  • ss.{BLOCKED}HZ.INFO