W32/Rbot-ABQ is a member of the W32/Rbot family of worms with a backdoor component that spread on weakly protected network shares on the Windows platform.
W32/Rbot-ABQ also has a backdoor component that allows a malicious user remote access to an infected computer.
W32/Rbot-ABQ is a member of the W32/Rbot family of worms with a backdoor component that spread on weakly protected network shares on the Windows platform.
W32/Rbot-ABQ spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-ABQ copies itself to the Windows system folder with the filename N0D32KRN.EXE and creates entries at the following locations in the registry with the value "Nod3d2 Free antivirus" so as to run itself on system startup, resetting these values every 8 seconds:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
W32/Rbot-ABQ also sets the following registry entry with the same value to point
to itself:
HKLM\Software\Microsoft\OLE
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HKCU\Software\Microsoft\OLE
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
W32/Rbot-ABQ attempts to set the following registry entries every 2 minutes:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
"N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
"1"
W32/Rbot-ABQ attempts to delete network shares on the host computer every 2 minutes.
W32/Rbot-ABQ also has a backdoor component that allows a malicious user remote access to an infected computer.
When run the worm attempts to contact a remote IRC server and join a specific channel to listen for commands.
W32/Rbot-ABQ may attempt to terminate certain processes relating to anti-virus and security programs.
W32/Rbot-ABQ may attempt to overwrite the HOSTS file to prevent access to certain anti-virus websites.
W32/Rbot-ABQ may attempt to log keystrokes to the file KES.TXT in the Windows system folder.