Trojan Horses Definitions(r) - RBot.rsms

RBot.rsms

Category: Trojan

Risk: Severe Risk

* Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.

Description: RBot.rsms is a variant of Rbot. a family of remote access tools, also known as backdoors or worms, used by hackers to control a machine without the owner's knowledge. This group of threats can spread through security exploits, networks, IRC (Internet Relay Chat) servers and sometimes with other malware. Once installed, RBOT will set itself to run on Windows startup, using names that seem to be Windows Related. RBOT allows the attacker to take control of a machine remotely and execute commands. The machine can be used as a spam relay or to participate in a denial of service (DOS) attack.RBOT can spread through networkked computers. Some RBOT variants can steal passwords and other data from the infected machine, lower security settings and turn off antivirus programs. RBOT variants are also known to steal game and application license keys. According to MalwareBlog.com (http://www.malwareblog.com/?p=166), Rbot.rsms has the following characteristics: Registry - "Run" keys .svchost c:\windows\system\csrss.exe Window Firewall c:\windows\system32\rsms.exe Propagation - Payload URL: zone.megaspaware.com/3/scpr32a.exe Connects to IRC server @ 205.209.188.190:5190 (CSRSS.EXE) Connects to IRC server @ 70.80.88.114:6667 (rsms.exe) Attacks other hosts on port 135 (rsms.exe)

Alias: None

Signatures:
process: crss.exe: MD5 Hash: 104d3f2c277d102749d
process: csrss.exe: MD5 Hash: 6846d2fb746e61e4391..