Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

  • Total:
  • Active:
  • Latest: -

Call us

+7 (495) 789-45-86

Profile

Back to news

Doctor Web discovers worm that infects archives and removes other Trojans

January 13, 2017

Worm viruses are malicious programs that can replicate themselves but cannot infect executable files. Doctor Web specialists have examined one such Trojan that infects RAR archives and uses the VNC remote access system to spread itself.

The worm, named BackDoor.Ragebot.45, receives instructions via the IRC (Internet Relay Chat) protocol by connecting to the corresponding chat channel.

screen BackDoor.Ragebot.45 #drweb

After infecting a computer running Windows, BackDoor.Ragebot.45 launches the FTP server and uses it to download its copy on the computer. It then scans accessible subnetworks, searching for nodes with the open port 5900 to establish a connection to the Virtual Network Computing (VNC) desktop. Once the machine is detected, BackDoor.Ragebot.45 tries to obtain access to it via a brute-force attack.

If access is obtained, the worm establishes the VNC connection and sends keystroke signals, using them to run the CMD command interpreter and execute the code for launching its copy over the FTP protocol. This is how the worm replicates itself.

One more function of BackDoor.Ragebot.45 is to search and infect RAR archives on removable media. When detecting an archive, the Trojan saves a copy (named setup.exe, installer.exe, self-installer.exe, or self-extractor.exe) to it. For the infection to be successful, the user must run an executable file that has been extracted from the archive.

In addition, the Trojan copies itself to the ICQ client folder together with folders of programs designed to establish P2P connections. Once BackDoor.Ragebot.45 receives the corresponding command, it searches for other Trojans in the system and, if it finds any, deletes their executable files. The Trojan has special white lists containing file names (mainly belonging to Windows system files) that it ignores, allowing them to operate on the infected machine.

The existence of samples of a previous version of BackDoor.Ragebot.45 became public some time ago. Perhaps, this will cause the worm to actively spread itself in the future. Dr.Web successfully detects and removes BackDoor.Ragebot.45, and, therefore, this malicious program poses no threat to our users.

More about this Trojan

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040