1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Tbot Activity

System Infected: Trojan.Tbot Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Tbot activity on compromised computers.

Additional Information

When the Trojan is executed, it creates the following files:
C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].exe
C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].tmp
C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].upp
C:\Documents and Settings\Administrator\Application Data\tor\cached-certs
C:\Documents and Settings\Administrator\Application Data\tor\cached-consensus
C:\Documents and Settings\Administrator\Application Data\tor\cached-descriptors
C:\Documents and Settings\Administrator\Application Data\tor\cached-descriptors.new
C:\Documents and Settings\Administrator\Application Data\tor\hidden_service\hostname
C:\Documents and Settings\Administrator\Application Data\tor\hidden_service\private_key
C:\Documents and Settings\Administrator\Application Data\tor\lock
C:\Documents and Settings\Administrator\Application Data\tor\state
C:\Documents and Settings\Administrator\Local Settings\Temp\OpenCL.dll

The Trojan then creates the following registry entry:
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Run\{58918AFF-36B7-5CDE-6038-278B35A6192F}: "C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].exe"

The Trojan copies itself to the following location:
%UserProfile%\Application Data

The Trojan creates files and directory with a random name and renames itself with a random string.

The Trojan injects itself into an svchost.exe process and terminates the original process.

The Trojan connects to an IRC channel and receives commands which may perform the following actions:
Steal information from the compromised computer and send it to the remote attacker
Download and execute files from a remote location
Download and inject files into a running process
Connect to an arbitrary URL
Set up a SOCKS proxy
Support denial-of-service attacks

The Trojan drops the following files:
Tor: A network client for the Tor anonymous network that is used to route and hide all the network traffic
Trojan.Zbot: An additional threat installed by Trojan.Tbot
CGMiner: An open source bitcoin mining tool used for performing CPU intensive work in exchange for Bitcoin currency

Affected

  • Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube