Social Networks Follow us on Twitter Like us on Facebook You Tube Channel
Threat Encyclopedia Mobile Page
Quick Links
  • Save & Share
  • Choose your country:
BKDR_RBOT.ARM

Malware type: Backdoor

Aliases: Trojan-Proxy.Win32.Ranky.fl (Kaspersky), Proxy-Piky (McAfee), Backdoor.Ranky.X (Symantec), TR/Dldr.Bary.FL.1 (Avira), Troj/Ranck-EI (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Low

Description: 

This backdoor may arrive as a file dropped or downloaded by other malware. It may also arrive as a file manually installed by an unsuspecting user. Upon execution, it drops a copy of itself and modifies the registry.

It opens random ports to listen for incoming connections coming from a remote malicious user. Once it establishes a connection, the said remote malicious user can then issue certain commands locally on an affected machine. This capability compromises security as it allows an unknown and unauthorized entity to control the affected system.

For additional information about this threat, see:

Description created: May. 16, 2006 11:16:41 AM GMT -0800


Minimum scan engine version needed: 7.500

Pattern file needed: 3.412.02

Pattern release date: May 8, 2006


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Restarting in Safe Mode

This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.

Editing the Registry

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing and Restoring Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Microsoft (R) Windows TCP/IP Socket Layer = "%Windows%\winsock\services.exe"
    (Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>
    CurrentControlSet>Services>Winsock
  5. In the right panel, locate and delete the entry:
    ImagePath = "%Windows%\winsock\services.exe"
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows NT>CurrentVersion>Winlogon
  7. In the right panel, locate the following entries:
    • Shell = "Explorer.exe %Windows%\winsock\services.exe"
    • Userinit = "%System%\userinit.exe,%Windows%\winsock\services.exe"
      (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
  8. Right-click on these registry entries and choose Modify. Change the value of the following entries respectively to:
    • Shell = "Explorer.exe"
    • Userinit = "%System%\userinit.exe"

Modifying Other Entries in the Registry

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>RemoteRegistry
  2. In the right panel, locate the entry:
    Start = "dword:00000004"
  3. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Start = "dword:00000002"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>Messenger
  5. In the right panel, locate the entry:
    Start = "dword:00000004"
  6. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Start = "dword:00000002"
  7. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>SamSs
  8. In the right panel, locate the entry:
    Start = "dword:00000004"
  9. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Start = "dword:00000002"
  10. In the left panel, double-click the following:
    KEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>SENS
  11. In the right panel, locate the entry:
    Start = "dword:00000004"
  12. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Start = "dword:00000002"
  13. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>Winsock
  14. In the right panel, locate the entry:
    Start = "dword:00000002"
  15. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Start = "dword:00000003"
  16. In the right panel, locate the entry:
    Type = "dword:00000010"
  17. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Type = "dword:00000004"
  18. In the right panel, locate the entry:
    ErrorControl = "dword:00000000"
  19. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    ErrorControl = "dword:00000001"
  20. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Explorer>Advanced
  21. In the right panel, locate the entry:
    Hidden = "dword:00000000"
  22. Right-click on this registry entry and choose Modify. Change the value of this entry to:
    Hidden = "dword:00000001"

Removing Other Malware Entries from the Registry

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Policies>Explorer
  2. In the right panel, locate and delete the entry:
    NoFolderOptions = "dword:00000001"
  3. Close Registry Editor.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as BKDR_RBOT.ARM. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.