W32/Rbot-AQI is a network worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AQI connects to a pre-configured IRC server, from where it can receive further instructions from a remote intruder.
W32/Rbot-AQI spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and MSSQL (MS02-039) (CAN-2002-0649) and by copying itself to network shares protected by weak passwords.
When first run W32/Rbot-AQI copies itself to <System>\winampp.exe and creates the following files:
<Temp>\1.reg
\a.bat
The file a.bat is detected as W32/Rbot-AIF.
In order to start when an infected system starts, W32/Rbot-AQI creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinAmp Player
winampp.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WinAmp Player
winampp.exe
The following registry entries are also set:
HKLM\SOFTWARE\Microsoft\OLE
EnableDCOM
N
HKLM\SOFTWARE\Microsoft\OLE
EnableRemoteConnect
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
HKCU\Software\Microsoft\OLE
WinAmp Player
winampp.exe
W32/Rbot-AQI also modifies registry entries under:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters