Rbot.CQK is a Worm. Worms spread from computer to computer, making copies of themselves over the network. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. Rbot.CQK is compressed using the Armadillo executable packer and its file size is 778,240 bytes. It uses the network connection: - Looks for an Internet connection.
- Connects to "sirboost.no-ip.org" on port 6667 (TCP).
- Connects to IRC server.
Rbot.CQK drops the following files on the hard drive: - C:\WINDOWS\system32\wqabvn.exe (778240 bytes)
It also changes Windows registry: - Creates key "HKLM\Software\Licenses".
- Creates value "{K7C0DB872A3F777C0}"="\xbd\xc1p/\xad\x12\x1er\x8e\x090N6\xf1\xdf<7\xe0\xb6\xe6A \x82\xff\xff\xff\xff\xff\xff\xff\xff\xcb\x87\xdfE\x870\x0c\xc3\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" in key "HKLM\Software\Licenses".
- Creates key "HKCR\CLSID\{703F0E50-4994-EF9E-E8A9-D29A875F15BA}".
- Creates value "{IC6E3D0636B8B23B2}"="\x01" in key "HKLM\Software\Licenses".
- Creates value "{0C6E3D0636B8B23B2}"="V>\xa8\x0e\x0b\xa2\xa7\xa6A\x06S\x98\x96\xa1D\xa3v
- \x92f\xbc\xb6\x01\xab\x99\xe8\x09\x9b\x1f\xb1R=~\xe3\x0b=\xea\xd0\xe2aY\xbb\xa8C\xde\xff\xd8a\xc9\xec\x12Wi\x9d\x0c\xbe\xee/\xc4c,4\x1d\x03\xb9\x842y6\xb9\xd3-\x93\x10\x1f\xac~]o\x8b\x1f
It creates the following mutex to ensure only one instance is running: RAL3BBE6CE7. 3BBE6CE7::WK. 11. It also contains anti-debugging code, is executed every time Windows starts.
|