W32/Rbot-AED

W32/Rbot-AED is an IRC backdoor Trojan and network worm.

W32/Rbot-AED may spread to remote network shares protected by weak passwords and computers vulnerable to common exploits. The worm also opens up a backdoor, allowing unauthorised remote access to infected computers via the IRC network, while running in the background as a service process. The worm exploits the following vulnerabilities: RPC-DCOM (MS04-12), LSASS (MS04-11), WKS (MS03-049) and MSSQL (MS02-039). For patches for these vulnerabilities, see:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

W32/Rbot-AED can receive commands from a remote intruder to delete network shares, log keypresses, participate in DDoS attacks, scan other computers for vulnerabilities, steal passwords, steal registration keys for computer games, create administrator accounts, terminate firewall and anti-virus processes and capture video from webcameras attached to the computer.

W32/Rbot-AED copies itself to the Windows system folder as file.exe and creates the following registry entries in order to run automatically on computer login:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft DLL Verifier
file.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft DLL Verifier
file.exe

The worm also sets the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
TransportBindName

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\ControlSet001\Services\wscsvc
Start
4

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SOFTWARE\Microsoft\Ole
EnableRemoteConnect
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\Protocols\PCT1.0\Server
Enabled
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
NameServer
""

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
ForwardBroadcasts
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IPEnableRouter
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Domain
""

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SearchList
""

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
UseDomainNameDevolution
1

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnableICMPRedirect
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DeadGWDetectDefault
1

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DontAddDefaultGatewayDefault
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnableSecurityFilters
1

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
AllowUnqualifiedQuery
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
PrioritizeRecordData
1

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TCP1320Opts
3

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
KeepAliveTime
23280

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
BcastQueryTimeout
2ee

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
BcastNameQueryCount
1

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
CacheTimeout
ea60

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Size/Small/Medium/Large
3

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
LargeBufferSize
1000

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SynAckProtect
2

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
PerformRouterDiscovery
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnablePMTUBHDetect
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FastSendDatagramThreshold
400

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
StandardAddressLength
18

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultReceiveWindow
4000

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultSendWindow
4000

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
BufferMultiplier
200

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
PriorityBoost
2

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IrpStackSize
4

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IgnorePushBitOnReceives
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableAddressSharing
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
AllowUserRawAccess
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableRawSecurity
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DynamicBacklogGrowthDelta
32

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FastCopyReceiveThreshold
400

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
LargeBufferListDepth
a

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxActiveTransmitFileCount
2

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxFastTransmit
40

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
OverheadChargeGranularity
1

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SmallBufferListDepth
20

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SmallerBufferSize
80

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TransmitWorker
20

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DNSQueryTimeouts
31,00,00,00,32,00,00,00,32,0,0,00,00,34,00,00,00,38,00,00,00,30

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultRegistrationTTL
14

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableReplaceAddressesInConflicts
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableReverseAddressRegistrations
1

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
UpdateSecurityLevel
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisjointNameSpace
1

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
QueryIpMatching
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
NoNameReleaseOnDemand
1

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnableDeadGWDetect
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnableFastRouteLookup
1

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxFreeTcbs
7d0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxHashTableSize
800

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SackOpts
1

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Tcp1323Opts
3

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpMaxDupAcks
1

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpRecvSegmentSize
585

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpSendSegmentSize
585

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpWindowSize
7d200

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultTTL
30

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpMaxHalfOpen
4b

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpMaxHalfOpenRetried
50

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpTimedWaitDelay
0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxNormLookupMemory
30d40

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FFPControlFlags
1

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FFPFastForwardingCacheSize
30d40

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxForwardBufferMemory
19df7

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxFreeTWTcbs
7d0

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
GlobalMaxTcpWindowSize
7d200

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnablePMTUDiscovery
1

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
ForwardBufferMemory
19df7

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server
50

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer
50