Rbot.WEC belongs to a large family of backdoors that try to bypass Windows security features. It is a remote administration tool, that once installed, will allow an attacker full control of the compromised machine to perform a variety of malicious activities such as executing commands and stealing data.
File Related Changes
It drops the following file(s) on the system:
- "c:\Windows\System32\drivers\explore.exe"
Process Related Changes
It creates the following mutex(es):
It creates the following process(es): - C:\Windows\system32\drivers\explore.exe
Registry Related Changes
It makes the following registry modifications to ensure infection after system reboot: - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\explore.exe = C:\Windows\system32\drivers\explore.exe
|
