WORM_POEBOT
Rbot
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
POEBOT is a family of worms that spreads via network shares. It uses a list of user names and passwords to access password-protected shares.
POEBOT has backdoor capabilities,allowing remote access to the affected system. It can also collect information from specific applications.
TECHNICAL DETAILS
Installation
This worm drops the following copies of itself into the affected system:
- %System%\{random}.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random value} = "%System%\{random}.exe"
Other Details
This worm connects to the following possibly malicious URL:
- xt.{BLOCKED}ere.biz
- ss.{BLOCKED}HZ.INFO