W32/Rbot-ACO is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-ACO spreads to other network computers by exploiting common vulnerabilities and by copying itself to network shares protected by weak passwords.
W32/Rbot-ACO connects to an IRC channel and listens for backdoor commands from a remote attacker.
When first run the worm copies itself to the Windows system folder as R00T.EXE.
The following registry entries are created to run r00t.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
update
r00t.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
update
r00t.exe
Registry entries are also set as follows:
HKCU\Software\Microsoft\OLE
update
r00t.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
The following patches for operating system vulnerabilities exploited by W32/Rbot-ACO can be obtained from the Microsoft website:
MS03-049
MS04-011
MS04-012