W32/Rbot-ADW is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-ADW spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: LSASS, RPC-DCOM and MSSQL and by copying itself to network shares protected by weak passwords.
W32/Rbot-ADW runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-ADW includes functionality to:
- steal confidential information
- steal CD game keys
- capture keystrokes
- carry out DDoS flooder attacks
- provide a proxy server
- silently download, install and run new software
When first run W32/Rbot-ADW moves itself to <System>\winpdg.exe.
The following registry entries are created to run WINPDG.EXE on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows PDG
winpdg.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows PDG
winpdg.exe
Registry entries are created under:
HKCU\Software\Microsoft\OLE
Windows PDG
winpdg.exe
The following patches for the operating system vulnerability exploited by W32/Rbot-ADW can be obtained from the Microsoft website:
LSASS (MS04-011) security vulnerability
RPC-DCOM (MS04-012) security vulnerability
MSSQL (MS02-039) (CAN-2002-0649) security vulnerability