W32/Rbot-JZ is a network worm and backdoor for the Windows platform.
The worm spreads by copying itself to network shares with weak passwords and exploiting the Lsass vulnerability (MS04-011).
The backdoor component connects to a predefined IRC server and waits for instructions from a remote attacker.
When run the worm copies itself to msnmsgr.exe in the Windows system folder and adds the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Msn Messengers = "msnmsgr.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Msn Messengers = "msnmsgr.exe"
HKLM\System\CurrentControlSet\Control\Lsa\
Msn Messengers = "msnmsgr.exe"
HKLM\Software\Microsoft\Ole\
Msn Messengers = "msnmsgr.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Msn Messengers = "msnmsgr.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Msn Messengers = "msnmsgr.exe"
HKCU\System\CurrentControlSet\Control\Lsa\
Msn Messengers = "msnmsgr.exe"
HKCU\Software\Microsoft\Ole\
Msn Messengers = "msnmsgr.exe"
The worm attemps to disable several other worms and some security related processes.
The backdoor component allows a remote attacker to :
transfer files to and from the infected computer
log user keystrokes
sniff network packets
capture video
launch distributed denial of service attacks
steal game related CD keys