IMPORTANT: this page is MESSY. It was reported that there are multiple versions of the virus, but the number of versions isn't confirmed. A news article from December 2007 states more than 10 versions exist.

The "Behavior" Section will cover a general description of the virus, but doesn't mention how each version of the virus differs, due to the lack of documentation (I'm looking into this though).

The Robot Dog (机器狗) virus is a computer worm from the late 2000s which mostly affected Windows users.

Allegedly, the earliest it is known to have been reported by is the 29th of August, 2007 (an article mentions the 5th of September, 2007 as the date on which Jiangmin, an anti-virus company, first analyzed(?) the virus). It is said by various wiki pages that the virus was first reported with evidence of its existence on a forum.

It mostly affected Windows users in China. The icon of the virus resembles an 11x AIBO robot dog by Sony.

There are multiple versions of the Robot Dog virus, and I'm not sure if they all differ in functionality. I've tried to list information on whatever versions of the virus I can find information on.

Behavior

Most sources reporting the virus (not focusing on the different versions that exist) state the virus is capable of spreading across computers in a network via ARP spoofing and is capable of causing network paralysis. The virus has affected networks in schools and internet cafes. Once executed, it releases a driver called pcihdd.sys which infects a system file called userinit.exe in attempt to prevent you from using restore points to eliminate the virus. The malware exploits the following vulnerabilities which could allow a computer to be controlled remotely without permission: MS06-014 and MS07-017.

Detailed Description

This description may not apply to every version of the virus. A blogpost shared via blog.51cto.com on the 22nd of September, 2007, provides a description on how it behaves. URLs mentioned here and in the blog post are censored.

A malicious file called down.exe is downloaded. The file is 37,888 bytes, has an SHA1 hash of 7DA3B63227D556619CFCA2F73E553873B9EE596E, an MD5 hash of D1622CB6B28D5239DE0FB22D44FB5C6D, and a CRC32 hash of D795BAE2.

After execution, a file called 1.vbs will be generated in the %temp% directory, and a system call to wscript.exe will run the VBS file.

Stopping the Antivirus & Firewall

A file is downloaded from http://*/down/fuzhu/ruixing.exe to the following path: C:\WINDOWS\Help\ruixing.exe.

Simulated keystrokes are used to prevent the firewall and antivirus from effectively functioning. I don't know if they're from the VBS file or ruixing.exe.

Modifying the Hosts File

A file is downloaded from http://*/down/fuzhu/Hosts.exe.

The hosts file on Windows will be modified, according to the contents of a text file from http://*/okla.txt.

Ending Other Security Processes

End security processes such as those below, using ntsd:

Download Trojans

Download Trojans from the following URLs:

Name these files jopen1.exe and jopen14.exe, respectively. The download interval was reported to be 1000ms.

Executing the Trojans

Trojans jopen1.exe and jopen14.exe will be run by wscript.exe. The interval between the execution of the trojan files was reported to be 1000ms.

After execution, generate the following files (including but not limited to):

Names

Below is a list of names. Links have been added as proof that the names exist.
Names
Robot Variant AZ (机器狗变种AZ)
Trojan.Win32.Edog.az
Machinedog.dr
Trojan:Win32/Dogrobot.gen!A

Robot Variant AZ

This variant of the Robot Dog virus seems to have been first reported in December, 2008.

Trojan:Win32/Dogrobot.gen!_

Variants

Names ending with letters such as 'f' and 'g' are missing; either versions wtih these names don't exist, weren't released, or aren't documented.

Sources