Backdoor:Win32/Netbot.D

Backdoor:Win32/Netbot.D is a trojan that contacts a remote command and control (C&C) server to send information about your computer and to download and execute files.

Installation

When run, this trojan creates a file in the Windows system folder named "rzmctfy.cc3" and modifies your system registry to run the dropped file when you start Windows.

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\svchost
Sets value: "Description"
To data: " monitor the system security settings and configuration services."

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\svchost\Parameters
Sets value: "ServiceDll"
To data: "<system folder>\rzmctfy.cc3"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
Sets value: "start"
With data: "svchost"

Payload

Downloads files

Backdoor:Win32/Netbot.D tries to contact a server named "lineagegame.no-ip.info" using TCP port 9527. Once connected, the trojan could send information about your computer, such as the version of Windows, or screen captures. The trojan could also download a specified file from the server and execute it on your computer.

Analysis by Zhitao Zhou