Win32/Rbot [Threat Name]

Detection created2004-06-01
World activity peak 2007-10-13 (1.31 %)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the %system% folder using the following name:

  • %variable%.exe

A string with variable content is used instead of %variable% .

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Layer" = "%system%\­%variable%.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­RunServices]
    • "Windows Layer" = "%system%\­%variable%.exe"
Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan connects to the following addresses:


The IRC protocol is used.

It can execute the following operations:

  • send the list of disk devices and their type to a remote computer
  • download files from a remote computer and/or the Internet
  • spread via shared folders and P2P networks
  • sending various information about the infected computer
  • collect information about the operating system used
  • connect to remote computers to a specific port
  • stop itself for a certain time period
  • obtain the list of shared network folders
  • capture webcam video/voice
  • capture screenshots
  • send files to a remote computer
  • retrieve CPU information
  • redirect network traffic
  • monitor network traffic
  • spread via IM networks
  • log keystrokes
  • terminate running processes
  • run executable files
  • shut down/restart the computer
  • perform port scanning
  • open a specific URL address
  • perform DoS/DDoS attacks
  • update itself to a newer version
  • delete folders
  • create folders
  • move files
  • delete cookies
  • open ports

Threat Variants with Description

Threat Variant Name Date Added Threat Type
Win32/Rbot 2005-03-19 trojan

Please enable Javascript to ensure correct displaying of this content and refresh this page.