Backdoor.Rbot is a family of Trojan programs for Windows, which offer the user remote access to victim machines. The Trojans are controlled via IRC, and have the following functions:
For example Backdoor.Win32.Rbot.bni:
Every 50 milliseconds the backdoor creates a thread in which it will connect to the following server (if there is a network accessible):
If in the course of 256 connection either of the servers returns an error saying that the resource is temporarily not available, the connection will be suspended for half a second.
The backdoor spreads via the Microsoft Windows DCOM RPC vulnerability. A full description of the vulnerability can be found in Microsoft Security Bulletin MS03-026 Microsoft Security Bulletin MS03-026 (
The backdoor chooses IP addresses to attack, and if a machine under attack contains the DCOM RPC vulnerability, the backdoor will launch its code on the vulnerable machine.
If none of the computers under attack contain this vulnerability, the backdoor will try to connect using the following user names:
and the following passwords:
Admin root asdfgh password 00 000 0000 00000 000000 0000000 00000000 1 12 123 1234 12345 123456 1234567 12345678 123456789 secret secure security setup shadow shit sql super sys system abc123 access adm alpha anon anonymous backdoor backup beta bin coffee computer crew database debug default demo X go guest hello install internet login mail manager money monitor network new newpass nick nobody nopass oracle pass passwd server poiuytre private public qwerty random real remote ruler telnet temp test test1 test2 visitor windows
If the backdoor manages to establish a connection, it will copy its executable file to the Windows system directory on the victim machine.