Backdoor.Small.r, BackDoor.c trojan
Troj/Madr-C is a backdoor Trojan that allows a remote intruder access to and control of a victim's computer via IRC channels.
When first run, the Trojan sets its file attributes to read-only, system and hidden. The Trojan then copies itself to the folder <WINDOWS>\system and to the hidden folder <WINDOWS>\system32\wins
In order to run automatically each time Windows is started, the Trojan sets the following registry entries:
Winlogon = <WINDOWS>\system\winlogon.exe
Winlogon = <WINDOWS>\system32\wins\WINLOGON.exe
Each time the Trojan is run it tries to connect to a remote IRC server and join specific channels using a random nickname. The Trojan then runs continuously in the background, listening on the channel for commands to execute.
Troj/Madr-C will attempt to terminate a number of anti-adware programs.
W32/Rbot-DE is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-DE spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-DE copies itself to the Windows system folder as WINSYS32.EXE and creates entries at the following locations in the registry so as to run itself on system startup, trying to reset them every minute:
W32/Rbot-DE sets the following registry entries, trying to reset them every 2 minutes.