Backdoor.Rbot

By GoldSparrow in Backdoors

Translate To:

Threat Scorecard

Threat Level:	80 % (High)
Infected Computers:	490

First Seen:	July 24, 2009
Last Seen:	March 20, 2025
OS(es) Affected:	Windows

Backdoor.Rbot is a nasty backdoor Trojan for the Windows platform. Backdoor.Rbot propagates via local network shares, Plug-and-Play vulnerability and other browser security holes. Once executed, Backdoor.Rbot will allow a remote attacker to gain access and control over victim’s computer using a command prompt. This places any personal or financial information stored on your computer in severe jeopardy and represents a serious security risk.

Table of Contents

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor	Detection
AhnLab-V3	Win-Trojan/Xema.variant
McAfee-GW-Edition	Heuristic.LooksLike.Win32.Winwebsec.B
AntiVir	TR/Agent.172032.BD
McAfee	Generic.dx!kvq
AVG	Win32/PolyCrypt
AhnLab-V3	Malware/Win32.Trojan Horse
Sophos	Mal/Packer
McAfee-GW-Edition	Heuristic.BehavesLike.Win32.Packed.B
AntiVir	PCK/YodaProt
Comodo	TrojWare.Win32.TrojanDownloader.Agent.accn
ClamAV	PUA.Packed.YodaProtector
NOD32	probably a variant of Win32/Agent.BTWMZCQ
McAfee	Generic.dx!mag
Symantec	Suspicious.Insight
Panda	Trj/Lineage.BZE

SpyHunter Detects & Remove Backdoor.Rbot

File System Details

Backdoor.Rbot may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	LauncherG4.exe	ed2cf5843530083d5f59fc8408d0689c	139
Name: LauncherG4.exe MD5: ed2cf5843530083d5f59fc8408d0689c Size: 847.87 KB (847872 bytes) Detections: 139 Type: Executable File Path: %PROGRAMFILES(x86)%\RealFlightG4\LauncherG4.exe Group: Malware file Last Updated: March 20, 2025
2.	webxl.exe	5aa14df443bed4044270376a92335c07	86
Name: webxl.exe MD5: 5aa14df443bed4044270376a92335c07 Size: 98.3 KB (98304 bytes) Detections: 86 Type: Executable File Path: %PROGRAMFILES%\Web Accelerator Group: Malware file Last Updated: January 8, 2013
3.	laplink.exe	acfd7e28bc4596d93a8021a95abe6045	19
Name: laplink.exe MD5: acfd7e28bc4596d93a8021a95abe6045 Size: 1.62 MB (1626112 bytes) Detections: 19 Type: Executable File Path: %PROGRAMFILES%\LapLink Gold Group: Malware file Last Updated: October 20, 2018
4.	ASMonitor.exe	e555cc1631373c69235864b11d423e5f	19
Name: ASMonitor.exe MD5: e555cc1631373c69235864b11d423e5f Size: 684.54 KB (684544 bytes) Detections: 19 Type: Executable File Path: %PROGRAMFILES%\ASMonitor Group: Malware file Last Updated: November 30, 2019
5.	gamexl.exe	284258b9aa54d6eac529e7ab5a2cc72d	13
Name: gamexl.exe MD5: 284258b9aa54d6eac529e7ab5a2cc72d Size: 172.03 KB (172032 bytes) Detections: 13 Type: Executable File Path: C:\Program Files (x86)\Game Accelerator\gamexl.exe Group: Malware file Last Updated: August 13, 2023
6.	jjiwyfaif.exe	f90bf8b3287e4d2ed903d5670b9e5301	10
Name: jjiwyfaif.exe MD5: f90bf8b3287e4d2ed903d5670b9e5301 Size: 80.38 KB (80384 bytes) Detections: 10 Type: Executable File Group: Malware file Last Updated: September 5, 2020
7.	c9x1l2m7z.exe	ad7621465b6ff769a0b66faf6c59f35e	6
Name: c9x1l2m7z.exe MD5: ad7621465b6ff769a0b66faf6c59f35e Size: 1.39 MB (1394688 bytes) Detections: 6 Type: Executable File Path: %WINDIR%\system32 Group: Malware file Last Updated: January 24, 2011
8.	MsnSys.exe	4cddb846c5005415c8479935003dd08d	6
Name: MsnSys.exe MD5: 4cddb846c5005415c8479935003dd08d Size: 241.66 KB (241664 bytes) Detections: 6 Type: Executable File Path: %USERPROFILE%\AppData Group: Malware file Last Updated: January 5, 2013
9.	slvhost.exe	b105c0b1dbd44c9377fb53323a54314a	5
Name: slvhost.exe MD5: b105c0b1dbd44c9377fb53323a54314a Size: 933.88 KB (933888 bytes) Detections: 5 Type: Executable File Path: C:\Windows\SysWOW64\slvhost.exe Group: Malware file Last Updated: February 22, 2023
10.	Imagen5.exe	100c01b816ddc64bfb556732a137526e	5
Name: Imagen5.exe MD5: 100c01b816ddc64bfb556732a137526e Size: 217.08 KB (217088 bytes) Detections: 5 Type: Executable File Path: %ALLUSERSPROFILE%\Dados de aplicativos Group: Malware file Last Updated: June 6, 2011
11.	iwbiej.exe	e6de564d9fe19589dd0b173c67cfbf9d	4
Name: iwbiej.exe MD5: e6de564d9fe19589dd0b173c67cfbf9d Size: 282.62 KB (282624 bytes) Detections: 4 Type: Executable File Path: %WINDIR%\system32 Group: Malware file Last Updated: March 14, 2011
12.	Albino3Installer301.exe	5c77796ec28de0a64ea8e417be02e225	4
Name: Albino3Installer301.exe MD5: 5c77796ec28de0a64ea8e417be02e225 Size: 21.5 KB (21504 bytes) Detections: 4 Type: Executable File Path: %APPDATA% Group: Malware file Last Updated: November 6, 2012
13.	pkecbowpv.exe	f95893f180fd8fed16f27b13790382dd	3
Name: pkecbowpv.exe MD5: f95893f180fd8fed16f27b13790382dd Size: 80.38 KB (80384 bytes) Detections: 3 Type: Executable File Group: Malware file Last Updated: March 7, 2023
14.	dragonage.exe	7c5ef2a797028ab9b312b263e30ea6e5	1
Name: dragonage.exe MD5: 7c5ef2a797028ab9b312b263e30ea6e5 Size: 111.61 KB (111616 bytes) Detections: 1 Type: Executable File Group: Malware file Last Updated: January 10, 2022
15.	kbqoog.exe	1998e8df756d372160c8515e26dfb71d	1
Name: kbqoog.exe MD5: 1998e8df756d372160c8515e26dfb71d Size: 919.67 KB (919670 bytes) Detections: 1 Type: Executable File Group: Malware file Last Updated: December 8, 2010
16.	winsystems.exe	0391e9796711cdd1ffd60d6a552c47c4	1
Name: winsystems.exe MD5: 0391e9796711cdd1ffd60d6a552c47c4 Size: 67.06 KB (67064 bytes) Detections: 1 Type: Executable File Path: %WINDIR%\system32 Group: Malware file Last Updated: July 19, 2012
17.	wuitgurd.exe	f3f75ca1d0b8182203a35ff6af84cfe7	1
Name: wuitgurd.exe MD5: f3f75ca1d0b8182203a35ff6af84cfe7 Size: 72.83 KB (72835 bytes) Detections: 1 Type: Executable File Group: Malware file Last Updated: January 24, 2011
18.	Winnet32.exe	8ee14d82b761e6e3a340d1c84f4b3ba2	1
Name: Winnet32.exe MD5: 8ee14d82b761e6e3a340d1c84f4b3ba2 Size: 249.34 KB (249344 bytes) Detections: 1 Type: Executable File Path: %USERPROFILE%\AppData Group: Malware file Last Updated: December 7, 2010
19.	sabhost.exe	449aa6e148987f191c673de3b2a65f31	1
Name: sabhost.exe MD5: 449aa6e148987f191c673de3b2a65f31 Size: 933.88 KB (933888 bytes) Detections: 1 Type: Executable File Group: Malware file Last Updated: March 26, 2012
20.	w32serv.exe	cf61065b0773225676217d6fc1b1701e	1
Name: w32serv.exe MD5: cf61065b0773225676217d6fc1b1701e Size: 1.06 MB (1069056 bytes) Detections: 1 Type: Executable File Path: %WINDIR%\system32 Group: Malware file Last Updated: November 30, 2010
21.	delta.exe	6040da4aa1430c853dc8b67f2157da62	1
Name: delta.exe MD5: 6040da4aa1430c853dc8b67f2157da62 Size: 39.42 KB (39424 bytes) Detections: 1 Type: Executable File Path: %WINDIR%\system32 Group: Malware file Last Updated: December 9, 2010
22.	svho0st98.exe	2d4d9f0eb02175f31216a8ee672e938f	0
Name: svho0st98.exe MD5: 2d4d9f0eb02175f31216a8ee672e938f Size: 246.78 KB (246784 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: December 11, 2009
23.	rBot.exe	6e1c383159866fd6011bda7bb97f4c8d	0
Name: rBot.exe MD5: 6e1c383159866fd6011bda7bb97f4c8d Size: 456.29 KB (456291 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: December 11, 2009
24.	taskmnegr.exe	c53c08120fb41a9242bf69c4c9d23c39	0
Name: taskmnegr.exe MD5: c53c08120fb41a9242bf69c4c9d23c39 Size: 196.6 KB (196608 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: December 11, 2009
25.	svchost.exe	d1bf9cb050e99866007d3f91b54ad231	0
Name: svchost.exe MD5: d1bf9cb050e99866007d3f91b54ad231 Size: 290.82 KB (290825 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: December 11, 2009
26.	mskeyboardrun.exe	3ef1313c66932a18620e8180c3aa3930	0
Name: mskeyboardrun.exe MD5: 3ef1313c66932a18620e8180c3aa3930 Size: 68.09 KB (68096 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: December 11, 2009
27.	msn.exe	51231178888e36983d36443dbe753778	0
Name: msn.exe MD5: 51231178888e36983d36443dbe753778 Size: 902.14 KB (902144 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: January 8, 2010
28.	lsass.exe	d5991f0c78e63d2409e39e071bf5d831	0
Name: lsass.exe MD5: d5991f0c78e63d2409e39e071bf5d831 Size: 81.92 KB (81920 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: February 23, 2010

More files

Analysis Report

General information

Family Name:	Trojan.Rbot
Signature status:	Root Not Trusted

Known Samples

MD5: c0d7542ca87de3c5ab1aa2939ec81a32

SHA1: a81fff1b699ece66baa480a34aa7455ba7b3c05d

SHA256: 8A2B37C69D0563F8CAE330FA0E699F9497DB5D42CAC922CDF9B4E49834FF5DAE

File Size: 178.11 KB, 178112 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File is 32-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)

IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Digital Signatures

Signer	Root	Status
Firefly Global, LLC	AddTrust External CA Root	Root Not Trusted
Firefly Global, LLC	AddTrust External CA Root	Root Not Trusted

File Traits

Files Modified

File	Attributes
\device\namedpipe	Generic Read,Write Attributes
\device\namedpipe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\devmanview.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\devmanview64.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\driveruninstall_combined.cmd	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsge542.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\uninstall.iss	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\uninstall_twain.iss	Generic Write,Read Attributes

Registry Modifications

Key::Value	Data	API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	蟝囝㙕ǜ	RegNtPreCreateKey

Windows API Usage

Category	API
Anti Debug	IsDebuggerPresent
User Data Access	GetUserObjectInformation
Process Shell Execute	CreateProcess
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAddAtomEx ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile Show More ntdll.dll!NtCreateMutant ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadFile ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory win32u.dll!NtGdiAnyLinkedFonts win32u.dll!NtGdiBitBlt win32u.dll!NtGdiCreateBitmap win32u.dll!NtGdiCreateCompatibleBitmap win32u.dll!NtGdiCreateCompatibleDC win32u.dll!NtGdiCreateDIBitmapInternal win32u.dll!NtGdiCreateRectRgn win32u.dll!NtGdiCreateSolidBrush win32u.dll!NtGdiDeleteObjectApp win32u.dll!NtGdiDoPalette win32u.dll!NtGdiDrawStream win32u.dll!NtGdiExtGetObjectW win32u.dll!NtGdiExtTextOutW win32u.dll!NtGdiFontIsLinked win32u.dll!NtGdiGetCharABCWidthsW win32u.dll!NtGdiGetDCDword win32u.dll!NtGdiGetDCforBitmap win32u.dll!NtGdiGetDCObject win32u.dll!NtGdiGetDeviceCaps win32u.dll!NtGdiGetDIBitsInternal win32u.dll!NtGdiGetEntry win32u.dll!NtGdiGetFontData win32u.dll!NtGdiGetGlyphIndicesW win32u.dll!NtGdiGetOutlineTextMetricsInternalW win32u.dll!NtGdiGetRandomRgn win32u.dll!NtGdiGetRealizationInfo win32u.dll!NtGdiGetTextFaceW win32u.dll!NtGdiGetTextMetricsW win32u.dll!NtGdiGetWidthTable win32u.dll!NtGdiHfontCreate win32u.dll!NtGdiIntersectClipRect win32u.dll!NtGdiQueryFontAssocInfo win32u.dll!NtGdiRestoreDC win32u.dll!NtGdiSaveDC win32u.dll!NtGdiSelectBitmap win32u.dll!NtGdiSetDIBitsToDeviceInternal win32u.dll!NtGdiSetLayout 63 additional items are not displayed above.
Other Suspicious	AdjustTokenPrivileges

Shell Command Execution


							"C:\Users\Ztfecmdq\AppData\Local\Temp\DriverUninstall_Combined.cmd"


							C:\WINDOWS\system32\reg.exe reg  Query "HKLM\Hardware\Description\System\CentralProcessor\0"


							C:\WINDOWS\system32\find.exe find  /i "x86"


							C:\Users\Ztfecmdq\AppData\Local\Temp\devmanview64.exe "DevManView64.exe"  /disable "Wireless Digital Microscope"

Backdoor.Rbot

Threat Scorecard

EnigmaSoft Threat Scorecard

Aliases

SpyHunter Detects & Remove Backdoor.Rbot

File System Details

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Digital Signatures

Digital Signatures

File Traits

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Related Posts

Trending

Most Viewed