W32/Rbot-AIM

Category: Viruses and Spyware
Type: Win32 executable file virus
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-AIM is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AIM spreads:

- to other network computers infected with: Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow vulnerabilites, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), MSSQL (MS02-039) (CAN-2002-0649), UPNP (MS01-059), Veritas (CAN-2004-1172) and Dameware (CAN-2003-1030)
- by copying itself to network shares protected by weak passwords

W32/Rbot-AIM runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Rbot-AIM copies itself to <System>\FEnR.exe.

The following registry entries are created to run FEnR.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoftf DDEs Control
FEnR.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoftf DDEs Control
FEnR.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
Microsoftf DDEs Control
FEnR.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Once installed, W32/Rbot-AIM will attempt to perform the following actions when instructed to do so by a remote attacker:

capture keystrokes
terminate threads and processes
perform port scanning on IP addresses
steal computer system hardware information
copy itself to network shared folders
download files from the Internet and run them
participate in denial of service (DoS) attacks
perform DCC file transfers over IRC channels
act as a HTTP proxy
setup a SOCKS4 server

The following patches for the operating system vulnerabilities exploited by W32/Rbot-AIM can be obtained from the Microsoft website:

<a href=
"http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx"
target="_blank">MS04-011</a>

<a href=
"http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx"
target="_blank">MS04-012</a>

<a href=
"http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx"
target="_blank">MS03-049</a>

<a href=
"http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx"
target="_blank">MS02-039</a>

<a href=
"http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx"
target="_blank">MS03-007</a>

<a href=
"http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx"
target="_blank">MS01-059</a>

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy