RBot.PCSync
Category: Trojan
Risk:
Severe Risk
* Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.
Description: RBot.PCSync is a variant of the Rbot family of worms with a backdoor functionality for the Windows pltaform that spreads to weakly protected network shares and by exploiting a number of known vulnerabilities as a result of a remote command. Once executed, RBot.PCSync copies itself as a hidden file with system attributes to the Windows system folder with the filename PCsync.exe, and in order to be able to run automatically when Windows starts up sets the registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\RunPcSync "PCsync.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesPcSync "PCsync.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\RunPcSync "PCsync.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesPcSync "PCsync.exe" Also, RBot.PCSync sets the following registry entries: HKCU\Software\Microsoft\OLE PcSync "PCsync.exe" HKLM\Software\Microsoft\OLE PcSync "PCsync.exe" HKLM\SYSTEM\CurrentControlSet\Control\Lsa PcSync "PCsync.exe" HKCU\Software\Microsoft\OLE PcSync "PCsync.exe" HKCU\SYSTEM\CurrentControlSet\Control\Lsa PcSync "PCsync.exe" RBot.PCSync may modify the setting of the following registry entry to enable or disable anonymous access to the IPC$ share: HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous RBot.PCSync may also be instructed to enable or disable DCOM, by modifying the following registry entry: HKLM\Software\Microsoft\OLE EnableDCOM When installed, RBot.PCSync connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions: Scan for remote computers to infect Start an HTTP, an FTP, or a SOCKS4 server Log any keystrokes made on an infected computer Flood a remote computer using ICMP, SYN, UDP or TCP Search for, upload, download, and execute files Browse and attempt to modify any services installed on the computer Participate in a distributed denial-of-service (DDoS) attack List and terminate processes Attempt to disable security software Create and delete network shares
Alias: W32/Rbot-XJ
Signatures:
process: pcsync.exe: MD5 Hash: d9f3e91ca8bc2354d8d..
Copyright @2006 THR Computer Solutions: RBot.PCSync