Trojan bot exploits windows vulnerability, drops rootkit

A network creeping Trojan itself is insidious in nature and what if it uses a Rootkit to evade detection as well? Security Experts at MicroWorld Technologies inform that a Trojan Bot is exploiting multiple Windows vulnerabilities to spread in networks, whilst using a Rootkit component to hide its files and processes.

“Backdoor.Rbot.ayg’ spreads via AOL Instant Messenger at its first level of proliferation. Once it is installed in the system registry, the Bot can move to other computers in the network by exploiting the recently found and patched Server Service Vulnerability-MS06-040 and earlier flaws like MS03-049 in Microsoft Windows.
Last month, MicroWorld Technologies had reported about “’, which exploited MS06-040, to launch a zero-day attack on targeted computers. It had an identical spreading routine using AOL Messenger and was also capable of exploiting earlier flaws in Windows.
Backdoor.Rbot.ayg uses “Win32.Rootkit.l’ to hide its files and processes. It communicates to the remote attacker via IRC channels and accepts and executes commands. The Bot can shutdown and restart the computer, log on to websites and download malicious code, log off current user, send files to the intruder, capture network user information and search disks for files.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss