W32/Rbot-DPG

Category: Viruses and Spyware Protection available since:18 May 2006 00:00:00 (GMT)
Type: Win32 worm Last Updated:18 May 2006 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-DPG is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-DPG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-DPG includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Rbot-DPG copies itself to <System>\drivers\ntndis.exe and creates the file <System>\drivers\ntndis.sys.

The file ntndis.sys is detected as Troj/RKProc-F.

The following registry entry is changed to run ntndis.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <System>\drivers\ntndis.exe

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

The file ntndis.sys is registered as a new system driver service named "ntndis", with a display name of "ntndis" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\ntndis\

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy