W32/Rbot-ACJ is a member of the W32/Rbot family of network worms. The worm can spread to via weakly protected network shares, NETBios, to weakly protected MSSQL servers, and to computers vulnerable to the RPC-DCOM, LSASS, and Workstation service exploits.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-ACJ can be obtained from the Microsoft website:
MS04-012
MS04-011
MS03-049
In order to run automatically when Windows starts up the worm copies itself to the Windows System folder as opsql.exe and creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
opsql update check
opsql.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
opsql update check
opsql.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
opsql update check
opsql.exe
Once installed, W32/Rbot-ACJ connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:
Scan for remote computers to spread to
Act as an FTP, HTTP, or SOCKS4 server
Steal product keys
Enable or disable DCOM
Allow or deny access to the IPC$ share
Create and delete network shares
Search for, upload, download, delete, and execute files
Log any keystrokes made on an infected computer
Retrieve information about an infected system