Rbot.FEG belongs to a large family of backdoors that try to bypass Windows security features. It is a remote administration tool, that once installed, will allow an attacker full control of the compromised machine to perform a variety of malicious activities such as executing commands and stealing data.
File Related Changes
It drops the following file(s) on the system:
- "c:\Windows\System32\load.exe"
Process Related Changes
It creates the following process(es): - C:\Windows\system32\load.exe
Registry Related Changes
It makes the following registry modifications to ensure infection after system reboot: - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windowssecureupdate = load.exe
- HKLM\Software\Microsoft\Windows\CurrentVersion\Runservices\windowssecureupdate = load.exe
- HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce\windowssecureupdate = load.exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\windowssecureupdate = load.exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce\windowssecureupdate = load.exe
|
