W32/Rbot-ALG

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-ALG is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-ALG spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: PNP (MS05-039), LSASS (MS04-011) and RPC-DCOM (MS04-012) and by copying itself to network shares protected by weak passwords.

W32/Rbot-ALG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

The following patches for the operating system vulnerabilities exploited by W32/Rbot-ALG can be obtained from the Microsoft website:

MS04-011
MS04-012
MS05-039 W32/Rbot-ALG is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-ALG spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: PNP (MS05-039), LSASS (MS04-011) and RPC-DCOM (MS04-012) and by copying itself to network shares protected by weak passwords.

W32/Rbot-ALG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Rbot-ALG copies itself to <System>\qsecue.exe.

The following registry entries are created to run qsecue.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Quantifier Security
qsecue.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Quantifier Security
qsecue.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
Quantifier Security
qsecue.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Once installed, W32/Rbot-ALG will attempt to perform the following actions when instructed to do so by a remote attacker:

capture keystrokes
terminate threads and processes
perform port scanning on IP addresses
steal computer system hardware information
copy itself to network shared folders
download files from the Internet and run them
participate in denial of service (DoS) attacks
perform DCC file transfers over IRC channels
act as a HTTP proxy
setup a SOCKS4 server

The following patches for the operating system vulnerabilities exploited by W32/Rbot-ALG can be obtained from the Microsoft website:

MS04-011
MS04-012
MS05-039

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy