My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus




Presence of the following files:
  • %windir%\b.exe (usually C:\Windows\b.exe), 155,648 bytes
  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe, 236,136 bytes
  • The file xzxzxzxzxzxz.exe (236,136 bytes) may appear in a subdirectory called "_" (underscore) in the shared folders of peer-to-peer file sharing applications.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Vlad Ioan Topan, BitDefender Virus Researcher

Technical Description:

This is a worm that spreads itself via peer-to-peer file sharing networks, dropping a backdoor identified by BitDefender as Backdoor.RBot.CMQ. It has a file size of 236,136 bytes.

The first time it is run, it displays the following message to make the user believe it is a setup file downloaded with errors:

Fake error message

After displaying the message, it copies itself to the All Users' startup folder (usually C:\Documents and Settings\All Users\Start Menu\Programs\Startup\) as svchost.exe, and launches itself from that new location.
The original instance ends its execution at this point.

When launched from the afore mentioned (Startup) folder, it checks if the %system% (usually C:\Windows\System32) folder contains any of the following files: winlog.exe, p2pnetworking.exe, scvhost.exe, winlogi.exe or p2pnetwork.exe.
These are all file names used by the RBot trojan. If it can't find any of them, it assumes the RBot trojan is not present so it dropps it into the Windows folder as b.exe and runs it.

To spread itself, it collects random application names from certain torrent and direct download sites.
It then places itself in the shared folder of five common P2P file sharing software (listed below) using the previousely collected names, in a subfolder called "_" (underscore).
At regular intervals it looks for the executable files of the file sharing programs Limewire, Shareaza, Bearshare, Morpheus and Morpheus Ultra and launches them.

To protect itself from being discovered, it opens the following files (requesting exclusive access): cmd.exe, netstat.exe, tracert.exe, ping.exe, ipconfig.exe, taskkill.exe, regedt32.exe and taskmgr.exe from the %system% folder and regedit.exe from the %windir% folder.
It keeps them open while it is active, so they can not be executed.