W32/Rbot-AIP is a worm for the Windows platform. The worm also contains backdoor Trojan functionality, allowing
unauthorized remote access to the infected computer.
W32/Rbot-AIP spreads to other network computers by exploiting common buffer overflow vulnerabilites, including:
LSASS (MS04-011), RPC-DCOM (MS04-012) and WKS (MS03-049) (CAN-2003-0812).
When first run W32/Rbot-AIP copies itself to <System>>\firebox.exe and creates the file \a.bat.
The file a.bat is detected by Sophos as Troj/Batten-A. It attempts to disable a number of security-related services and then attempts to delete itself.
W32/Rbot-AIP creates the following registry entries so that it automatically runs upon system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Mozila Firefox
firebox.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Mozila Firefox
firebox.exe
W32/Rbot-AIP also creates registry entries under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
HKCU\Software\Microsoft\Windows NT\CurrentVersion\TaskManager\UsrColumnSettings
HKCU\Software\Microsoft\Windows NT\CurrentVersion\TaskManager\Preferences
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKCU\Software\Microsoft\OLE\Mozila Firefox
and changes the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\
TransportBindName
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
HKLM\SYSTEM\CurrentControlSet\Services\ Tcpip\Parameters\
EnableICMPRedirect
HKLM\SYSTEM\CurrentControlSet\Services\ Tcpip\Parameters\
EnableSecurityFilters
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\
Start
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start