How to Prevent and Remove the Packed.Win32.Black.a

How to Prevent and Remove the Backdoor:Win32/Rbot.gen

1. What is the Backdoor:Win32/Rbot.gen

Backdoor.Rbot.GEN is an IRC controlled backdoor (or "bot"). Backdoor.Rbot.GEN could be used to obtain access to an affected user's PC without authorization. Backdoor.Rbot.GEN could also display worm-like functionality by exploiting weak passwords on network shares. Backdoor.Rbot.GEN belongs to the types of TT_Backdoor and TT_Trojan.h of computer Trojans.

2.Technical Details:

a. The following files were created in the system:

No.	Filename	Size
1	%System%\ieyhrq.exe [file and pathname of the sample #1]	486,400 bytes

Note:
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

b. Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
ieyhrq.exe	%System%\ieyhrq.exe	1,101,824 bytes

c. Registry Modifications

The following Registry Key was created:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  - Windows Media Player = "ieyhrq.exe"
  so that ieyhrq.exe runs every time Windows starts
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
  - Windows Media Player = "ieyhrq.exe"
  so that ieyhrq.exe runs every time Windows starts
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  - Windows Media Player = "ieyhrq.exe"
  so that ieyhrq.exe runs every time Windows starts

c. Other details

The following port was open in the system:

Port	Protocol	Process
69	UDP	ieyhrq.exe (%System%\ieyhrq.exe)
113	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
1050	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4347	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4348	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4349	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4350	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4351	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4352	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4353	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4354	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4355	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4356	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4357	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4358	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4359	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4360	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4361	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4362	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4363	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4364	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4365	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4366	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4367	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4368	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4369	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4370	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4371	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4372	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4373	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4374	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4375	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4376	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4377	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4378	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4379	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4380	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4381	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4382	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4383	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4384	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4385	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4386	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4387	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4388	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4389	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4390	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4391	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4392	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4393	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4394	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4395	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4396	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4397	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4398	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4399	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4400	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4401	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4402	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4403	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4404	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4405	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4406	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4407	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4408	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4409	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4410	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4411	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4412	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4413	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4414	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4415	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4416	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4417	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4418	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4419	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4420	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4421	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4422	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4423	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4424	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4425	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4426	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4427	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4428	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4429	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4430	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4431	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4432	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4433	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4434	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4435	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4436	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4437	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4438	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4439	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4440	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4441	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4442	TCP	ieyhrq.exe (%System%\ieyhrq.exe)
4443	TCP	ieyhrq.exe (%System%\ieyhrq.exe)

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
79.103.58.244	80

3. How-to's

a. How to prevent the Backdoor:Win32/Rbot.gen ?

Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.

b. How to Remove the Backdoor:Win32/Rbot.gen Manually?

Step 1 : Use Windows Task Manager to Remove Backdoor:Win32/Rbot.gen Processes

ieyhrq.exe

Step 2 : Use Registry Editor to Remove Backdoor:Win32/Rbot.gen Registry Values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Windows Media Player = "ieyhrq.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Windows Media Player = "ieyhrq.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
Windows Media Player = "ieyhrq.exe"

Step3: Detect and Delete Other Backdoor:Win32/Rbot.gen Files

%System%\ieyhrq.exe
[file and pathname of the sample #1]

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

4. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm