.:: Backdoor.Win32.Rbot.clj Reversing ::.

Author: Evilcry
WebSite: http://evilcodecave@gmail.com / http://evilcry.altervista.org
Kaspersky Identification: Backdoor.Win32.Rbot.clj
MD5: 59c661ba0c7c485f4480f7b142a9c084

                                                         .:: The Essay ::.

Backdoor.Rbot offers user remote access to victim machines. The Trojans are controlled via IRC and perfoms
various operations of data estortion:

Data Packet filtering passwords to FTP servers, and e-payment systems.
Vulnerability check (RPC DCOM, UPnP, WebDAV).
Other backdoor check NetDevil, SubSeven.
Bridge for DoS attacks.
Send the user of the program detailed information about the victim machine, including passwords to a range of computer games.

Rbot is a really stupid and unsophisticated virus, actually detected by all antiviruses, and can be removed in 1 minute by hand.

                                                      .:: Rbot Revesing ::.

Rbot is packed with NSPack v 2.9, a truly common packer/compressor used in many viruses.
Unpacking it truly easy:

.nsp1:004DF1B4       pushf ; EP
.nsp1:004DF1B5       pusha
...
.nsp1:004DF424        popa
.nsp1:004DF425        popf
.nsp1:004DF426        jmp     near ptr dword_4DC8D0 ;OEP

You have only to put a Breakpoint on the JMP OEP, dump and rebuild the executable and you'll have a 100% clear executable.
Following entries are added:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and for each execution Rbot copies itself (every time with a different name) into  %System% directory.

Rbot can spread itself in various manners:

Via Network Shares (TCP ports 139 and 445)
Via Exploits like Windows LSASS buffer overflow, Windows ntdll.dll buffer overflow, Windows RPC malformed message buffer overflow, RPCSS malformed DCOM, UPnP, DameWare.
Via other Malicious Code: 

    * Win32.Bagle worm (TCP port 2745)
    * Win32.Mydoom worm (TCP port 3127)
    * Win32.OptixPro trojan (TCP port 3410)
    * Win32.NetDevil trojan (TCP port 903)
    * Win32.Kuang trojan (TCP port 17300)
    * Win32.SubSeven trojan (TCP port 27347)

                                                                      .:: Rbot Removal ::.

Locate the executable in %System% directory and remove it (remember that the .exe is Hidden)
Remove the reg keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices